THE  YEAR  AHEAD:  Lions,  Tigers,  Bears,  the  Feds... 


Your  Role  page  28 

Your  Government  page  34  Your  Adversaries  page  40 

Your  Technology  page  46 


Special  issue 
coverage 
begins  on 
page  27 


December  2003  $9.00 
/vww.csoonl  ine.com 


registered  trademarks,  Symantec  Gateway  Security  is  a  trademark  of  Symantec  Corporation.  ©2003  Symantec  Corporation.  All  rights  reserved 


Today’s  threats  require  a  lot  more  than 


rewall.  This  is  a  lot  more  f 


SaSHfe 


g|  = 


W*'mm 


. 


-i  #;• 


iimM 

' 


mu 


gWi-Mit? 


A  N..T  E  C  0  AT  E  W  A  V  SECURITY  5  4  7  0 


T®8 1"~|  <§) 

I  (y) 

— — — *  (||C  ■ 

(( )j 

Co) 

o 

o 

o 

1 

o 

Firewall 
Intrusion  Prevention 
Intrusion  Detection 
Antivirus 
Content  Filtering 
Anti-Spam 
VPN 


Introducing  the  Symantec™  Gateway  Security  5400  Series.  It  wasn’t 
long  ago  that  a  firewall  provided  all  the  perimeter  protection  an 
enterprise  needed.  But  that  was  before  blended  threats  like  Slammer 
and  Blaster.  Now  there’s  the  Symantec  Gateway  Security  5400  Series,  a 
range  of  full  inspection  firewall  appliances  that  integrate  intrusion 
prevention  and  intrusion  detection,  antivirus,  content  filtering,  anti-spam 
and  VPN.  The  result  is  better  protection  against  complex  attacks  and, 
thanks  to  centralized  management  capabilities,  greater  control  over 
your  organization’s  perimeter  security.  To  learn  more  or  to  receive 
a  copy  of  our  free  multimedia  CD,  “Symantec  Gateway  Security  5400 
Series,”  visit  http://ses.symantec.com/SGS5400  or  call  800  745  6054. 


i  want  to  Stop  thinking  about  the  threats  that  could  fill  my  network 


start 


wm 


Start  growing  your  business  securely  with  Intrusion  Prevention  Solutions  from  McAfee  Security. 


■ 


With  a  powerful  combination  of  McAfee  System  Protection  and  Network  Protection  Solutions,  McAfee  Security  does 
more  than  merely  detect  known  and  unknown  threats — it  actually  prevents  them.  From  the  desktop,  to  the  network,  to 
the  server,  the  McAfee  Protection-in-Depth,M  strategy  and  our  proven  Intrusion  Prevention  technologies  provide  complete 
protection  for  the  enterprise.  So  you  can  spend  less  time  thinking  about  security  issues  and  more  time  thinking  about 
growth  issues.  Learn  more  today  at  start.mcafeesecurity.com 


Vv  '  ' 


Because  security  is  not  just  about  what  you  can  stop. 

i  * 

'  }} 

v-  y-jM 


■  •  '  :  ■  v  ^  '  ' 

Network  Associates 

,  A  .b  v  .,y.'  .  Wm.  • 

•  b  ''  “ .-»•  *•  *  ’•  '»  '• 

■  ■  •  * 


December  2003 

VO  L . 2  ,  N  0 . 1  2 


24  The  Renaissance  of  the  CSO 

FLASHPOINT  Tomorrow’s  jobs  will  broaden  the  skill  set 
and  deepen  the  knowledge  level  required  of  security 
executives.  By  David  H.  Holtzman 


58  And  to  All,  a  Good  Night 

CSO  UNDERCOVER  The  coming  years  promise  an 
increase  in  security  planning  to  support  strategic 
business  planning.  Will  it  be  a  CSO’s  dream  come 
true  or  one  big  nightmare? 


27  Introduction 

What  is  the  current  reality  in  security  and  what  will  CSOs 
need  to  do  before  they  can  move  forward?  Come  inside  our 
special  issue.  We’ll  help  you  plot  the  future. 

By  Kathleen  Carr 


15  Briefing 

Armed  and  Flying;  Lights,  Camera, 
Grandma;  The  Going  Rate;  It’s  a  Mob 
Scene;  Here’s  to  Your  Health 


28  Job  Descriptions 

THE  CSO  ROLE  We  put  questions  to  a  quartet  of  CSOs  and 
a  leading  recruiter  to  see  how  the  shape  of  the  security 
practice  is  changing. 


22  Wonk  W 

Coming  attractions:  A  look  at  who  ami  what  will  take 
the  House  and  Senate  floors  in  thdmonths  ahead. 

By  Julie  Hanson  M 


34  Capital  Ideas 

GOVERNMENT  RELATIONS  As  the  government’s  influence 
over  security  practices  grows,  CSOs  have  a  few  suggestions 
to  improve  public-private  partnerships.  By  Todd  Datz 


53  Machine  Shop^ 

Machine  vision  promises^  change  the  image  of 
security.  By  Fred  Hapmod 

TOOLBOX  N^'  gear  for  first  responders. 


40  Underground  Fears 

ADVERSARIES  The  coming  wave  of  security  threats  will 
increasingly  be  blended  with  physical  and  information  com 
ponents.  CSOs  who  want  to  prepare  for  these  attacks  will 
have  to  meld  their  defenses  to  meet  the  challenge. 

By  Daintry  Duffy 


f 64  Debriefing 

2003:  The  Quiz 


46  Safety  Measures 

TECHNOLOGY  In  2004,  information  security  will  require  a 
splash  of  the  old,  a  dash  of  the  new  and  a  healthy  dose  of 
brainpower.  By  Christopher  Lindquist 


N  EVERY  ISSUE  6  CSOonline.com  10  Letter  from  the  Editor  12  Letters  62  Index 


Cover  photo  by 
Gettyone 


4  www.csoonline.com  December  2003 


‘There’s  been  a  school  of 
thought  that  the  security 
mission  is  competitive  with 
operations.  In  this  company, 
[security]  is  interwoven  in 
the  culture.” 

-FRANCIS  D'ADDARIO,  CSO,  STARBUCKS 


1 


Strong  Authentication 


Pay  2/3  less  for  strong  (two-factor)  authentication 
Use  the  same  A-Key™  for  an  optional  suite  of  strong 
e-security 


Huthenex' 


Web  Access  Control 


Affordable  Strong  e-Security 


More  e-Security 
for  Less  Money 


File/Folder/HD  Encryption 
Secure  File  Exchange 
Digital  Cert  Storage 


You  get  strong  authentication  more  versatile  than  that  provided  by 
the  industry  leader,  for  1/3  the  price.*  Plus,  you  can  use  the  same 
A-Key  token  for:  web  access  control,  128-Bit  AES  encryption  for 
files/hard  disk/folders,  secure  file  exchange,  and  storage  for  digital 
certificates.  You  save  even  further  through  ease  of  deployment  and 
management. 


*  Price  comparison  and  token  prices  are  approximated  based  on  average  per  token  retail  price  of  RSA  SecurlD  tokens  (in  25  pack  of  5  year  tokens) 
randomly  surveyed  from  internet  retailers  on  May  13,  2003,  and  the  average  per  token  retail  price  of  Authenex  A-Key  tokens  (in  25  pack  of  tokens)  as  of 
May  13,  2003.  Prices  are  for  tokens  only  and  do  not  include  related  software.  Prices  may  be  subject  to  change  without  notice. 


**  Certain  terms  and  conditions  may  apply. 


Get  Your  FREE  A-Key  Today** 

on  the  web  at  www.authenex.com  or  call  us  at  1.877.AUTHENEX 


networkengmes 


Microsoft 

CERTIFIED 

Partner 


Authenex  ASAS  and  other  Authenex  Enterprise  products 
are  now  available  as  stand-alone  appliances  through 
Network  Engines™ 


©  2003,  Authenex,  Inc  All  Rights  Reserved.  Authenex,  A-Key  and  associated  logos  are  trademarks  of  Authenex. 
Inc  All  other  registered  and  unregistered  trademarks  in  this  document  are  the  sole  property  ol  their  respective 
owners. 


at 

me.com 


ummm 


US 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 


Security  Counsel 

This  month,  Dan  Lohrmann,  chief 
information  security  officer  of  the  state  of 
Michigan,  will  be  answering  readers’ 
questions  about  homeland  security.  Visit 

SECURITY  COUNSEL  and  post  your 
questions  online.  Look  for  responses  in 
the  February  2004  issue  of  CSO. 

www.csoonline.com/counsel 

CSO  Research  Centers 

Visit  CSOonline. corn’s  RESEARCH 
CENTERS  to  find  archived  articles  from 
CSO  and  its  sister  publications,  webcasts, 
interviews  and  links  to  relevant  sources. 
Research  centers  allow  readers  to  dig  deep 
on  topics  including  executive  relationships, 
legal  issues,  strategy  and  management 
trends,  and  threats  and  recovery  best 
practices.  Our  editors  update  the  research 
centers  frequently,  so  visit  often. 
www.csoonline.com/research 


What  does  that 
number  mean? 

It  means  there’s  an  easier  way  to  find  CSO 
articles  online  than  typing  URLs.  Use  the 
DocID  number  at  the  end  of  each  feature 
to  quickly  take  you  from  the  magazine  to 
related  content  on  the  Web.  v 


Road  Rules 

Protect  yourself,  and  your  employees,  while  travelling. 
Read  about  travel  risk  services  in  “Avoiding  the  Road  to 
Perdition"  from  the  March  2003  issue  of  CSO.  Type 
the  DocID  number  (above)  into  the  search  box  at 
www.csoonline.com  to  find  the  article  online. 


Daily  Dose  of  CSO 

If  you  need  more  than  the  monthly  fix  of 
articles  and  analysis  of  the  security  indus¬ 
try  that  CSO  brings  you  each  issue,  visit  our 
website  ( www.csoonline.com )  for  more  of 
the  same  smart  writing  and  keen  analysis 
in  digital  form.  Here’s  our  lineup: 

MONDAY 

T ALK  BACK  Tell  us  what  you  think. 

Will  consumers  buy  the  Department  of 
Homeland  Security’s  million-dollar  ad 
campaign?  Visit  each  week  to  discuss 
this  and  other  controversial  topics. 
www.csoonline.com/talkback 

TUESDAY 

SECURITY  CHECK  Quick  and  easy.  You 
may  also  check  the  results  of  previous  polls, 
such  as  “Has  your  company  taken  security 
measures  directly  related  to  Sarbanes- 
Oxley?”  Only  one  in  four  respondents 
said  yes.  www.csoonline.com/poll 

WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  in  one  convenient 
package.  In  a  recent  report,  Robert  Frances 
Group  outlined  best  practices  for  patch 
deployment,  www.csoonline.com/analyst 

THURSDAY 

METRICS  Did  you  know  that  government 
IT  security  spending  will  increase  7  percent 
annually— from  $4.2  billion  in  fiscal  year 
2003  to  nearly  $6  billion  in  fiscal  year 
2008?  Visit  each  week  for  new  numbers. 
www.csoonline.com/metrics 

FRIDAY 

POLITICS  &  POLICY  Read  our  weekly 
recap  of  action  on  the  Hill.  Get  the  full 
text  of  bills  before  the  House  and  Senate, 
and  blurbs  about  other  legislative  activity- 
inside  the  Beltway  and  out. 
www.csoonline.com/politics 


Managing  Editor,  Production  Cheryl  R.  Asselin 

Senior  Editors  Scott  Berinato,  Todd  Datz, 
Daintry  Duffy 

Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writer  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Copy  Chief  Tom  Wailgum 
Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Emily  S.  Henderson, 

Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistant  Daniel  J.  Horgan 
Editorial  Operations  Specialist  Julie  Hanson 

Contributors  Fred  Hapgood,  David  H.  Holtzman, 
Christopher  Lindquist,  Paul  Roberts 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Executive  Web  Editor  Martha  Heller 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 
INFORMATION  SYSTEMS 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists  Michael 
Fahlsing,  Jonathan  Frappier 

Systems  Administrator  Robert  Reagan 


Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 

BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  August  2002 
©  CXO  Media  Inc. 


6  www.csoonline.com  December  2003 


Chaos. 


Control. 


Take  control  of  your  Internet  security. 


Introducing  Proventia"  Enterprise  Protection  Products.  Just  because  Internet  threats  are 
complex,  doesn't  mean  your  security  has  to  be.  Finally,  a  single,  unified  protection  appliance 
that  protects  more  with  less,  eliminating  the  cost  and  chaos  of  multiple  stand-alone  security 
products.  Proventia'"  centrally-managed  products  range  from  detection  up  to  completely 
unified  and  proactive  multi-function  protection  appliances,  combining  firewall,  intrusion 
prevention  and  anti-virus  technologies.  Take  control  of  your  enterprise  security.  Switch  to 
Internet  Security  Systems  today.  800-776-2362.www.iss.net/takecontrol. 


Security 


Systems' 


©  2003  Internet  Security  Systems.  Inc.  All  rights  reserved  worldwide. 


I  AM  A  SNARLING 
PACK  OF 
DOBERMANS. 

I  AM  INTEGRATED  SECURITY.  I  HAVETHE  POWER  TO  PROTECT 
YOUR  NETWORK  FROM  THE  INSIDE, THE  OUTSIDE  AND  FROM 
EVERYWHERE  IN  BETWEEN.  I  ALWAYS  KNOW  WHO  IS  ONTHE 
GUEST  LIST  AND  HAVETHE  POWER  TO  DENY  THOSE  WHO  AREN'T 
ON  IT.  I  SNIFF  OUT  THREATS  SO  YOU  CAN  STAY  PRODUCTIVE. 

I  AM  MORE  THAN  A  CISCO  3700  ROUTER. 


THIS  IS  THE  POWER  OF  THE  NETWORK.  nOW. 


Cisco  Systems 


cisco.com/securitynow 


3SR 


Season  of  Bounty 


Microsoft,  taking  a  page  from  the  antiterror  handbook, 
announced  last  month  that  it  would  offer  serious  dollars  to 
anyone  willing  to  drop  a  dime  on  the  architects  of  those 


nettlesome  exploits,  Blaster  and  Sobig,  as  well  as  others  yet  unnamed.  While 
some  critics  carped,  uncharitably,  that  this  might  divert  effort  and  attention 
from  the  goal  of  making  Microsoft’s  product  suite  a  tad  hardier  and  more 
resistant  to  exploitation,  we  applaud  the  bounty  program  nonetheless.  In  the 
spirit  of  the  season,  we  would  like  to  nominate  some  other  troubling  circum¬ 
stances  that  might  benefit  from  a  similar  approach  (which  in  recent  history, 
you’ll  recall,  was  actually  pioneered  by  O.J.  Simpson  in  his  effort  to  catch  the 
“real”  killers  of  Nicole  and  Ron). 

President  Bush’s  chief  political  adviser,  Karl  Rove,  should  offer  a  $5,000 
bounty  leading  to  the  capture  of  whoever  in  the  White  House  leaked  the 
identity  of  CIA  operative  Valerie  Plame.  Because  the  Bush  administration  is 
eager  to  get  to  the  bottom  of  that  situation,  I’m  thinking  the  president  himself 
might  be  willing  to  kick  in  a  few  thousand  from  his  $200  million  campaign 
war  chest. 

My  colleague  Steve  Traynor  thinks  that  someone  should  offer  a  bounty  of 
$18,500  (US)  to  anyone  with  information  leading  to  the  capture  of  famed 
Nigerian  banker  Dr.  Collins  Mbadiwe.  (If  you  put  up  the  $18,500,  I’m  told, 
you  stand  to  get  back  a  good  deal  more  than  that!) 

Scott  Berinato,  whose  taste  in  music  runs  toward  stuff  that  was  hot  in  the 
late  ’80s,  would  like  someone  to  rat  out  the  agent  who  discovered  Celine  Dion. 
He’s  willing  to  put  up  $500  of  his  own  money,  and  others  on  the  staff  are 
considering  making  donations  of  their  own. 

Locally,  people  keep  stealing  the  bronze  “Make  Way  for  Ducklings”  statues 
of  Mack,  Ouack,  Jack,  Lack  and  their  siblings  right  out  of  the  cement  pathways 
of  the  Boston  Common.  We’d  pay  good  money  to  find  out  who’s  twisted  enough 
to  ducknap  beloved  art  objects. 

Sarah  Scalet  thinks  the  Recording  Industry  Association  of  America  ought  to 
offer  a  bounty  to  high  school  and  college  students  who  turn  in  their  classmates 
for  downloading  music  (except,  of  course,  for  Celine  Dion’s). 


We’ve  also  had  it  with  other  celebrities.  Would 
someone  rid  us  of  Bennifer?  And  what  about  Bill 
O’Reilly  and  Al  Franken  (the  guy  O’Reilly  yelled 
“Shut  up!”  at  when  Franken  called  him  a  liar)?  And 
Princess  Diana’s  butler,  Paul  something  or  other- 
can  someone  please  make  him  go  away? 

There  are  a  lot  of  good,  principled  uses  to  which  the 
concept  of  a  bounty  can  be  put.  We’ve  got  a  price  on 
the  head  of  any  weapon  of  mass  destruction  in  Iraq. 
We’re  willing  to  pay  big  bucks  for  Saddam  himself  and 
assorted  al-Qaida  villains.  On  the  other  hand,  with  all 
the  money  escrowed  away  for  information  leading  to 
various  devoutly  wished  apprehensions,  you  could 
probably  fund  a  lot  of  arts  programs  that  have  been  cut 
from  the  budgets  of  cash-strapped  school  systems.  Or 
create  an  incentive  program  within  Microsoft  to  author 
code  that  doesn’t  contain  so  many  of  the  vulnerabilities 
that  some  underemployed  morons  find  so  enticing. 

The  other  bounty  worth  mentioning  this  month  is 
that  contained  within  the  pages  of  this  issue.  Our  year- 
end  package— deftly  managed  by  Assistant  Managing 
Editor  Kathleen  Carr  and  Senior  Editor  Daintry 
Duffy— takes  a  look  at  the  state  of  the  known  security 
universe  and  points  ahead  to  the  future  of  the  profes¬ 
sion.  We  invite  your  feedback,  as  always,  and  wish 
you  a  peaceful,  bountiful  holiday  season  and  a  Happy 
New  Year. 

-Lew  McCreary 
mccrea  ry  @  cxo.  com 


10  www.csoonline.com  December  2003 


PHOTO  BY  WEBB  CHAPPELL 


CCTP  would  have  made  his  life  much  easier  CCTP,  engineered  by  Anixter,  is: 


Introducing 

OCCTP 

video  surveillance  far  the  digital  age 

Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 


"Winner  of  the  "Best  New  Technology"  Award  at  the  Federal  Office  Systems  Expo  (FOSE) 


•  ■■  <  - 


csoletters@cxo.com 


Our  September  issue  included  “Sea 
Change,"  an  article  that  details  how  the 
U.S.  Customs  Service  is  working  with  busi¬ 
ness  partners  to  improve  port  security. 

And  now,  a  word  from  those  partners. 

ALTHOUGH  THE  CUSTOMS-TRADE 

Partnership  Against  Terrorism  (C-TPAT) 
program  is  voluntary,  and  the  Customs 
validation  teams  are  in  a  learning  curve,  it 
is  in  the  best  interest  of  the  corporation 
to  maintain  a  high  level  of  supply  chain 
security.  Even  before  C-TPAT,  our  suppli¬ 
ers  and  customers  were  asking  very 
pointed  questions  about  supply  chain  secu¬ 
rity.  To  remain  competitive,  voluntary  self¬ 
policing  is  in  my  best  interest.  The 
Customs  validation  teams  will  learn  a  lot 
from  corporations  that  remain  true  to  a 
solid  self-policing  strategy. 

JOHN  L.  SULLIVAN 

Director,  Worldwide  Security  and 
Corporate  Flight  Operations 
Texas  Instruments 

Also  in  our  September  issue  was  "Firing 
Line,”  which  detailed  how  poorly  handled 
employee  terminations  can  become  risky 
security  propositions.  We  recommended  that 
you  develop  a  process  for  letting  workers 
go.  This  reader  expands  on  that  theory. 

EACH  EMPLOYEE  REACTS  DIFFERENTLY 

to  being  let  go,  and  thus,  the  whole  situa¬ 
tion  should  be  looked  into.  If  there  have 


been  previous  problems  with  outbursts  or 
violent  comments,  then  escorting  not  only 
makes  sense  but  also  shows  the  remaining 
employees  that  the  company  is  concerned 
about  their  welfare.  I  also  feel  that  if  some¬ 
one  has  to  be  escorted,  a  polite  yet  firm 
manner  is  best,  as  a  person  who  is  treated 
respectfully  when  being  escorted  will  be 
much  better  about  leaving.  There  is  no 
need  to  treat  anyone  as  a  suspect.  To  sim¬ 
ply  say— “Why?  Are  they  going  to  damage 
something  on  the  way  out?  Or  steal  some¬ 
thing?  No”— is  allowing  yourself  and  your 
company  to  pay  the  price  of  the  person 
who,  regardless  of  all  else,  does  retaliate. 

K.L.  WOJCIECHOWSKI 

Security  Officer 

We  talked  to  Bruce  Schneier  in  Septem¬ 
ber’s  “The  Evolution  of  a  Cryptographer.” 
He’s  a  proponent  of  holistic  security.  That 
is,  looking  at  security  as  a  whole. 

IN  HIS  ANSWERS,  BRUCE  SCHNEIER 

mentions  two  fundamental  aspects  of 
security  rooted  in  human  psychology.  He 
notes,  “Security  is  both  a  feeling  and  a 
reality.”  In  fact,  checking  with  the  diction¬ 
ary,  security  is  totally  subjective,  a  feeling 

We  want  to  hear  from  you. 

To  respond  to  articles  you've  read  in  CSO,  write  to 
us  at  csoletters@cxo.com.  We  welcome  your  criti¬ 
cism,  thoughts  and  suggestions. 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125 
fax:  847  564-9453 
e-mail:  cs o@omeda.com 

REPRINTS 

For  article  reprints  (500  quantity  or  more),  please  con¬ 
tact  Chad  Johnston  at  RSiCopyright  at  651  582-3800 
or  e-mail  csoreprints@rsicopyright.com. 


about  IDG  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  conferences 
and  events,  informs  more  people  about  technology 
than  any  other  company  in  the  world.  Offering  the 
widest  range  of  media  options,  IDG  reaches  more  than 
120  million  technology  buyers  in  85  countries  repre¬ 
senting  95  percent  of  worldwide  IT  spending.  IDG  pub¬ 
lishes  more  than  300  newspapers  and  magazines  in  85 
countries,  led  by  the  Computerworld,  Infoworld.  Mac¬ 
world.  Network  World.  PC  World  and  CIO  global  prod¬ 
uct  lines.  IDG  offers  online  users  the  largest  network  of 
technology-specific  sites  around  the  world  through 
IDG.net  (www.idg.net),  a  gateway  to  IDG's  330  websites 
powered  by  more  than  2,000  journalists  reporting  from 
every  continent  in  the  world.  IDG  also  produces  168 
technology-related  conferences  and  events,  and 
research  company  IDC  provides  global  market  intelli¬ 
gence,  analysis  and  forecasts  in  43  countries. 


of  well-being  and  safety.  The  reality  comes 
from  things  behaving  as  expected.  Secure 
things  don’t  produce  unexpected  results 
leading  to  bad  consequences. 

Bottom  line:  The  security  profession 
needs  more  psychologists  contributing  to 
understanding  these  root  causes. 

MARK  JACKSON 

Computer  and  Network  Security 
Telcordia  Technologies 

VERY  GOOD  ARTICLE.  BRUCE  SCHNEIER 

seems  to  be  a  voice  of  calm  and  reason  in 
an  otherwise  chaotic  world.  His  comments 
on  the  National  Strategy  to  Secure  Cyber¬ 
space  were  particularly  on  the  mark. 
DAVID  A.  MCGUIRE 

Information  Security  Officer 


12  www.csoonline.com  December  2003 


SECONDARY 


i;  primary 


1  a  i'1. Iti'rf:' 


Availability  Services 

.  •  •' 

Keeping  People  andl^ 
Information  Connected 


but  if  they  can’t  be  used  to  run  your  business, 
they  might  as  well  be  here. 


^hSS  ’‘  V 

W'  •  &  r  .T ,  ’  ’ 


Introducing  Information  Availability. 


You’ve  dedicated  tremendous  time  and  resources  to  safeguarding  your  company’s  mission-critical 
systems.  But  if  it  isn’t  combined  with  a  robust,  redundant  infrastructure,  the  latest  technologies, 
professional  expertise,  and  proven  processes;  you  won’t  achieve  the  levels  of  availability  and  uptime 
today’s  marketplace  demands.  That’s  why  you  need  a  SunGard  Information  Availability  strategy. 
Working  with  SunGard,  we’ll  customize  a  total  solution  that  helps  ensure  your  employees  and 
customers  have  uninterrupted  access  to  the  critical  systems  and  data  that  run  your  business,  24/7. 
Make  sure  all  your  systems  are  “go”.  To  see  how  cost  effective  an  Information  Availability  strategy 
can  be,  see  our  white  paper  prepared  by  IDC  at:  www.availability.sungard.com 


MANAGED  SERVICES  •  PROFESSIONAL  SERVICES  •  BUSINESS  CONTINUITY 


The  Value  of  Trust 


^  MOBILE 
TECHNOLOGY 


THATT 


Mobility  and  security  are  two  words  not  often  used  in  the  same  sentence.  But  now  Intel  and  VeriSign  are  working 
together  to  help  enterprises  make  wireless  computing  safer  and  simpler.  And  make  mobile  professionals  more 
productive.  Intel®  Centrino™  mobile  technology  supports  industry  standard  and  * 

leading  third-party  security  solutions,  such  as  VeriSign’s  Strong  Authentication  • 

Services  and  Digital  Certificates,  to  enable  safer  notebook  connectivity.  So,  security  vemmT 
really  does  set  you  free.  Free  from  wires.  Free  from  worry.  Free  to  move  forward.  The  Value  of  Trust’ 


To  learn  more  about  Intel  and  VeriSign,  visit  www.SecuritySetsYouFree.com 


©  2003  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  Security  Sets  You  Free,  Security  Intelligence  and  Control,  and  other  trademarks,  service  marks,  and  logos  are  registered  or  unregistered 
trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries.  Intel,  Intel  Centrino,  Intel  Inside,  the  Intel  Centrino  logo,  and  the  Intel  Inside  logo  are  trademarks  or  registered  trademarks  of 
Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries. 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


Armed  and  Flying 


TRANSPORTATION  In  a  Wild  West  duel, 
a  gun  would  certainly  beat  a  box  cutter,  but 
does  a  gun  beat  a  box  cutter  when  it  comes  to 
securing  the  nation’s  skies? 

Although  the  Bush  administration  initially 
opposed  the  idea,  the  Arming  Pilots  Against 
Terrorism  Act  became  law  as  part  of  the 
Homeland  Security  Act  of  2002. 

But  before  being  allowed  to  pack  heat, 
pilots  must  first  be  trained  as  federal  flight 
deck  officers  (FFDO).  Candidates  are  trained 
in  firearm  use  and  defensive  tactics  during  a 
weeklong  course  at  the  Artesia,  N.M.,  Federal 
Law  Enforcement  Training  Center. 

The  Transportation  Security  Administra¬ 
tion  (TSA)  trained  its  first  batch  of  pilots  in 
April,  and  hundreds  of  pilots  have  since  been 
trained  and  are  flying  armed,  says  Ann  Davis, 
a  spokesman  for  the  TSA.  By  the  end  of  2004, 


CSO  SECURITY  CHECK 


What  do  you  think  will  be  the  next 
personal  security  accessory  that 
Americans  will  clamor  for? 


57% 

Home  power 
generators 


4% 

More  plastic 
sheeting  and 
duct  tape 


15% 

Biochemical 
face  masks 


14% 

Home  panic 
rooms 


the  TSA  expects  to 
have  trained  thousands. 

While  the  TSA  gives 
a  sunny  account  of  its 
progress,  some  say  the 


To  participate  in  a  CSO  Security  Check 
poll,  visit  www.csoonline.com. 


agency’s  efforts,  thus  far, 
have  been  lackluster.  “I’d 
give  the  TSA  a  D,”  says 
Leon  Laylagian,  a  repre¬ 
sentative  for  the  Coalition 
of  Airline  Pilots  Associa¬ 
tions,  a  trade  association 
that  represents  pilots 
for  five  of  the  major  U.S. 
airlines. 

Laylagian  notes  that 
many  pilots  have  reser¬ 
vations  about  the 
onerous  TSA  admin¬ 
istrative  requirements  that  are  a  part 
of  the  firearms  training. 

Among  other  things,  Laylagian  cites  the 
intense  psychological  screening  requirements. 
While  not  opposed  to  standard  background 
checks  and  psychological  screening  for  candi¬ 
dates,  Laylagian  argues  that  the  TSA  is  apply¬ 
ing  a  stricter  standard  to  FFDO  candidates 
than  it  does  to  candidates  for  other  federal 
law  enforcement  jobs. 

Pilots  are  also  wary  of  submitting  to  the 
screening  because  the  findings  could  prevent 
them  from  renewing  the  medical  certification 
that  they  need  to  work,  he  says. 

According  to  Laylagian,  those  impediments 
and  others  have  kept  the  number  of  armed 
pilots  low.  “At  the  rate  it’s  going,  it  will  take 
15  years  to  train  every  pilot,”  he  says. 

-Paul  Roberts 


Cleanup  in 
Aisle  Six 

RFIDS  If  the  last  soda  can  fell  off  the 
store  shelf  and  there  was  nobody  around  to 
hear  it,  would  it  make  a  noise? 

At  the  Electronic  Product  Code  (EPC) 
Executive  Symposium  in  Chicago  in  Septem¬ 
ber,  the  answer  from  technology  companies 
was  a  resounding  yes.  The  show  celebrated 
the  launch  of  the  EPC  network,  an  open 
standard  infrastructure  that  uses  RFID 
(radio  frequency  identification)  tags. 

Behind  the  hype,  there  is  almost  universal 
acknowledgement  that  RFIDs  are  the  next 
“big  thing”— discreet  tags  that  will  replace 
bar  codes  and  enable  products  to  identify 
themselves  to  RFID  readers,  even  when 
buried  within  a  crate  or  a  ship’s  hold. 
MIT’s  Auto-ID  Center  cohosted 
the  show  and  has  been  a  major 
source  of  RFID  innovation,  with 
the  backing  of  the  Department 
of  Defense  and  major  corpora¬ 
tions  such  as  Coca-Cola  and 
Wal-Mart. 

Sun  Microsystems  is  working 
with  Gillette  to  implement  RFID  technology, 
making  it  easier  for  Gillette  to  track  products 
after  they  leave  its  facilities. 

As  of  January  2005,  Wal-Mart  is  requiring 
its  top  100  suppliers  to  put  RFID  tags  on 
pallets  and  cases  sent  to  the  retailer. 

However,  the  short  term  may  be  filled 
with  more  headaches  as  companies  wrestle 
with  the  demands  of  the  new  technology. 

At  the  symposium,  some  exhibitors  turned 
on  their  RFID  readers,  only  to  encounter 
unwanted  data  from  neighboring  booths, 
says  Dave  Douglas,  senior  vice  president  of 
products  and  strategy  at  ConnecTerra. 

For  many  U.S.  companies,  RFIDs  also 
raise  significant  privacy  concerns.  Com¬ 
panies  will  need  to  perfect  the  technology 
to  deactivate  or  “kill"  the  RFID  tag  once  a 
product  leaves  the  store. 

-Paul  Roberts 


ILLUSTRATIONS  BY  MONIKA  MELNYCHUCK 


December  2003  www.csoonline.com  15 


FACIAL  RECOGNITION  If  we  stop 
three  terrorists  from  passing  through  an  air¬ 
port  security  checkpoint  but  let  two  through, 
are  we  winning  the  war  on  terrorism?  Not  so 
much.  A  four-month  trial  of  two  facial  recog¬ 
nition  products  at  Boston’s  Logan  Interna¬ 
tional  Airport  found  that  the  systems  aren’t 
reliable  enough  to  effectively  screen  passen¬ 
gers.  And  they  also  create  a  lot  of  work  for 
screeners. 

Facial  recognition  systems  by  Viisage 
Technology  and  Identix  were  set  up  at  two 
screening  checkpoints  to  spot  40  volunteer 
"terrorists"  who  agreed  to  have  their  photos 
scanned  and  added  to  a  database  of  known 
terrorists,  according  to  Jose  Juves,  a 
spokesman  for  the  Massachusetts  Port 
Authority. 

Nearly  250  volunteer  trials  took  place 
between  the  two  checkpoints.  Volunteers’ 
faces  were  matched  with  faces  in  the  data¬ 
base  60  percent  of  the  time,  according  to 
John  Dorr,  vice  president  of  marketing  at 
Viisage.  While  that’s  not  bad,  it  wasn’t  good 
enough  for  Logan  officials.  "Facial  recogni¬ 
tion  is  promising,  but  it’s  not  the  most  effec¬ 
tive  means  to  do  what  we  wanted,  which  is 


pick  faces  out  of  a  crowd,”  Juves  says. 

Results  varied  widely  depending  on  vari¬ 
ables  such  as  lighting  and  camera  angle.  In 
addition  to  inconsistency,  the  systems  were 
a  burden  for  operators,  who  had  to  man  the 


The  Going  Rate 

SECURITY  INCIDENTS,  AS  REPORTED  TO  CERT, 
ARE  SPIRALING  OUT  OF  CONTROL 


“The  continued  increase  in  incident  reports 
to  CERT  can  be  attributed  to  increased 
incident  activity,  increased  detection 
capabilities  and  increased  reporting.” 


•  (CSO  projection) 

290,000 

Incidents 


-JEFFREY  CARPENTER,  MANAGER  OF 
THE  CERT  COORDINATION  CENTER 


/ 


/  | 

82,094 

O  Incidents 


6  Incidents 

o  o 

1988  1990 


O 

1992 


O 

1994 


1996 


1998 


SOURCE:  CERT.ORG 


2000  2002 


2004 


stations  diligently  to  find  a  match,  according 
to  a  report  by  Counter  Technology,  which 
coordinated  the  study. 

For  the  time  being,  Logan  officials  are 
shelving  facial  recognition  and  other  biomet¬ 
ric  screening  tools  in  favor  of  a 
more  proven  alternative:  humans. 
The  airport  has  trained  state 
police  officers  in  behavior  pattern 
recognition,  the  method  used  by 
security  staff  at  Israeli  national 
airline  El  Al.  “It  has  proven  effec¬ 
tive,  and  it’s  not  dependent  on  a 
photo  database  of  terrorists," 
Juves  says. 

But  the  Israeli  system  requires 
El  Al  passengers  to  arrive  for 
their  flights  three  hours  in 
advance.  The  Israelis  also  use 
ethnic  and  behavioral  profiling 
to  spot  everything  from  mules— 
unwitting  accomplices  who  carry 
lethal  devices— to  suicide 
bombers.  And  if  you  have  an 
Arabic  last  name  or  appearance, 
prepare  to  get  interrogated. 

-Paul  Roberts 


Lights,  Camera,  Grandma 


16  www.csoonline.com  December  2003 


and  easily  to  protect  your  critical  data,  with  no  need  to 
reconfigure  your  network.  .  . , 


with  a  mouse  click.  The  Brick  platform  delivers  proven 


m 


I 

■ 


i 

I 

I 

I 


©2003  Lucent  Technologies 


For  more  information  and  to  download  our  White  Paper, 
“Overcoming  Common  Firewall  Limitations,”  visit 
www.lucent.com/security. 


Hfg 


Lucent  VPN  Firewall  Brick® 
Models  20,  80  &  1100  shown 


Lucent  Technologies 

Bell  Labs  Innovations 


Why  would  500  people  gather  in  the  lobby  of 
a  Hyatt  in  downtown  Manhattan  to  clap  in  unison?  Perhaps  it’s 
the  need  for  community.  Or  a  desire  to  belong. 

Whatever  the  reason,  flash  mobs  are  catching  on.  A  flash 
mob,  by  definition,  is  a  large  group  of  people  who  gather  in  a 
usually  predetermined  location,  perform  some  brief,  innocent 
action— clap  or  yell— and  then  quickly  disperse.  Mobbers  have 
gathered  in  big  cities  around  the  world,  including  London, 

New  York  City,  Tokyo  and  San  Francisco.  The  website 
Cheesebikini.com  is  the  online  meeting  place  of  global  flash 
mobbers.  Here,  on  the  site's  message  boards,  is  where  the 
mob  planning  begins. 

Reports  of  one  recent  flash  mob  event  tell  of  300  participants 
converging  on  the  Toys  “R"  Us  in  Manhattan’s  Times  Square. 

The  mob  trotted  up  to  the  second  floor  and  knelt  in  front  of  an 
animatronic  T-rex  dinosaur  (after  staring  at  it  for  three  minutes). 
When  Dino  roared,  the  crowd  moaned  and  cowered  in  fear. 
According  to  a  mob  site,  “Toys  ‘R’  Us  staffers  were  so  panicked, 
they  shut  down  the  dinosaur  and  called  the  police.” 

In  New  York  City  several  flash  mobs  have  occurred  without 
incident,  and  the  city’s  finest  seem  undaunted  by  the  fad.  New 
York  City  detective  Walter  Burnes  says,  “Two  months  ago,  I  had 
no  idea  what  flash  mobs  were,  then  I  asked  around.  They  haven’t 
been  an  issue.  But  if  people  block  traffic  or  impede  pedestrians, 
we'll  handle  them  the  same  way  we  handle  any  large  crowd: 

We’ll  disperse  them,  or  we’ll  arrest  them.  We  get  large  crowd 
calls  all  the  time.  Sometimes  we  get  there  and  they're  gone. 

Could  those  have  been  flash  mobs?  Sure.  But  we’re  not  doing 
anything  differently  than  we’ve  been  doing  for  the  last  couple 
of  years.” 

-Kathleen  Carr 


setting.  What  a  perfect  environment  to  talk  security.  In  September, 
female  security  execs  gathered  at  the  Alta  Associates  Executive 
Women's  Forum  on  Information  Security  at  Sanibel  Harbour  Resort 
&  Spa  in  Fort  Myers,  Fla.  By  day,  they  listened  to  risk  management 
and  CEO  panels  and  heard  folks  speak  on  privacy,  regulations  and 
the  challenges  of  dealing  with  Washington.  But  by  night,  there  was 
mingling  with  fellow  security  executives  and  hot  tubs  to  soak  in. 

Perhaps  the  hot  tub  loosened  everyone  up,  because  event  partici¬ 
pants  noted  that  failures  were  openly  shared  and  discussed.  “The 
conference  was  great,"  says  Mary  Ann  Davidson,  CSO  of  Oracle,  who 
attended  the  event.  “In  our  business,  you  do  so  much  reading,  and 
you  know  names,  but  you  never  meet  the  people.  I  will  absolutely 
keep  in  touch  with  the  people  I  met  there.  We  talked  quite  a  bit  about 
vulnerability  disclosure  and  the  challenges  there.  How  do  we  deal 
with  the  fact  that  people  are  going  to  be  irresponsible  and  post 
exploit  code?  How  do  we  differentiate  between  helping  customers 
who  need  to  defend  against  those  exploits  and  appeasing  the  people 
who  discover  them— the  researchers?  It  was  a  really  good  and 
energetic  discussion.  Interestingly,  you  know,  it  had  nothing  to  do 
with  gender.” 

Joyce  Brocaglia,  president  and  CEO  of  executive  recruiting  firm 
Alta  Associates,  which  ran  the  conference,  says  her  company  plans 
to  make  it  an  annual  event.  You  might  be  wondering  why  women 
need  a  security  conference  of  their  own.  Brocaglia  points  out  that  as 
demand  has  increased  for  CSOs,  the  style  of  leadership  that  compa¬ 
nies  are  seeking  for  that  role  has  changed  as  well.  They  are  seeking 
someone  with  executive  management  skills,  not  just  a  technology 
background,  and  Brocaglia  notes  that  that’s  where  the  women  are  a 
great  fit  for  security  positions.  They  have  the  technology  background, 
but  they  also  excel  at  the  softer  skills  of  project  management  and 
team-building.  -Kathleen  Carr 


DEPARTMENT  OF  BIG,  SCARY  NUMBERS 


The  amount  the  Fortune  1000  will  spend 
this  year  on  compliance-related  projects 


SOURCE:  AMR  RESEARCH 


18  www.csoonline.com  December  2003 


A  League  of  Their  Own 


EVENTS  There  was  a  bar,  a  spa  and  120  women  in  a  tropical 


0 

net®} 

Work  Smarter, 


We  see  management 
a  little  differently 
from  the  other  guys. 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows. ..or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 

CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability 


Not  with  us 


it  isn't. 


©Copyright  2003  NetlQ  Corporation.  All  rights  reserved.  Net  IQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
All  other  names  and  products  mentioned  herein  may  be  the  registered  trademarks  of  their  respective  companies. 


Here’s  to  Your  Health 


INTERVIEW  Managing  security  in  a 
health-care  environment  presents  unique 
challenges.  Not  only  are  hospital  emergency 
rooms  and  newborn  nurseries  primary  tar¬ 
gets  for  crime,  there  is  also  the 
potential  that  terrorists  could 
use  a  health-care  facility  as  a 
secondary  target  to  augment 
the  effect  of  a  bombing  or  a 
bioterrorism  incident.  CSO 
spoke  with  Fred  Roll,  president 
of  Roll  Enterprises,  a  health¬ 
care  security  consultancy 
based  in  Morrison,  Colo.,  about 
terrorism  and  hospitals  and  the 
vulnerabilities  that  remain  at 
many  health-care  facilities. 

CSO:  How  do  you  approach  security  plan¬ 
ning  with  a  health-care  facility? 

Fred  Roll:  Terrorism  brings  in  a  whole  new 
set  of  issues  for  health-care  facilities.  They 
need  to  look  at  existing  policies  and  proce¬ 
dures  and  protocols  but  also  take  three  steps 
back  and  try  to  think  like  a  terrorist.  One  of 
the  things  I  do  in  seminars  is  I  have  people 
get  together  in  small  groups  to  decide  what 
they  would  do  if  they  were  terrorists  and 
wanted  to  have  the  greatest  effect  in  shutting 
down  operations  within  a  facility.  The  stuff 
they  come  up  with  in  five  minutes  scares  me 
to  death.  They  spend  five  minutes,  but  terror¬ 
ists  spend  every  waking  hour  thinking  about 
how  they  can  effect  a  terror  act.  If  you  ask 
people  whether  hospitals  are  a  primary  tar¬ 
get  for  terrorists,  most  people  agree  that 


they  are  not,  but  there  is  the  potential  for 
hospitals  to  become  a  secondary  target. 

If  a  terror  event  takes  place,  and  people  are 
sick  or  injured,  after  triage  and  after  decont¬ 
amination  they  will  end  up  in  a 
health-care  facility.  If  terrorists 
wanted  to  have  an  additional 
psychological  effect,  they 
might  target  the  places  where 
the  injured  go.  A  health-care 
security  program  needs  to  be 
reasonable,  appropriate,  cost- 
effective  and  defensible.  [Hos¬ 
pital  management]  has  to 
look  at  the  potential  of  a  terror 
event  and  consider  vulner¬ 
abilities  like  infection  control 
and  utility  management. 
Potential  areas  of  risk  are  the  power  plant 
and  oxygen  and  radiological  storage. 

What  is  the  weakest  link  that  remains  unad¬ 
dressed  in  health-care  site  security? 

The  number-one  uncontrolled  risk  is  after- 
hours  access.  A  lot  of  hospitals  want  to  allow 
open  visitation  as  opposed  to  controlled  visi¬ 
tation.  I  have  no  problem  with  appropriate 
people  entering  through  a  controlled  point, 
where  they  can  be  screened  and  authorized. 
But  without  that,  the  hospital  has  no  idea 
whether  [the  people  wandering  in  and  out] 
are  good  guys,  bad  guys,  terrorists,  infant 
abductors,  sexual  predators  or  thieves.  If 
there’s  an  event  that  elevates  the  terror  cod¬ 
ing  system  from  yellow  to  orange,  what  are 
we  going  to  do  about  that?  When  you  ask 


hospitals,  a  lot  of  them  say  “nothing."  People 
in  charge  of  security  should  be  letting  their 
staffs  know  that  the  risk  level  has  gone  up 
and  should  be  asking  them  to  be  more  vigi¬ 
lant  and  observant  during  that  period.  The 
toughest  thing  we  have  to  do  in  health-care 
security  is  keep  people  aware  but  not  in  a 
fearful  mode.  The  terrorists  have  already 
done  that.  Go  to  any  airport.  Can  you  not 
think  about  the  events  of  9/11?  The  psycho¬ 
logical  impact  is  already  there. 

How  does  disaster  recovery  planning  for 
health-care  facilities  differ  from  disaster 
recovery  and  contingency  planning  for 
corporations? 

Hospitals  are  interesting  in  that  they  are 
their  own  little  communities  with  campus 
environments.  Inside,  people  are  sick  and 
injured  and  more  vulnerable,  which  man¬ 
dates  more  custodial  care.  Still,  you  have 
to  think  about  access  control.  There  are 
three  concentric  rings  of  security.  First,  the 
perimeter  of  property.  Do  we  have  fences, 
bushes,  a  river  or  an  expressway?  How  is 
that  perimeter  protected?  You  may  have  to 
restrict  traffic  in  and  out.  The  middle  perime¬ 
ter  is  the  doors  and  windows  to  the  building. 
Who  can  come  and  go  in  that  building? 

On  the  interior,  you  have  the  most  security- 
sensitive  areas:  the  emergency  room, 
pharmacy,  newborn  nursery  area  and 
behavioral  health  department.  Those  areas 
within  the  inner  core  of  the  facility  need 
more  security  than  the  rest  of  the 
building.  ■  -  Da  intry  Duffy 


Fred  Roll,  president  of 
health-care  security  con¬ 
sultancy  Roll  Enterprises 


FROM  THE  DEPARTMENT  OF  STICKY  FINGERS 


Ifyou  b 
you  have 
creativity  o 


ave 


e  into  consideration  the 


-FRANK  ABAGNALE  ON  I.P.  THEFT  (FOR  MORE  ON  FOOLS 
AND  HOW  THEY  WILL  STEAL  YOUR  COMPANY  SECRETS, 
READ  “UNDERGROUND  FEARS,”  PAGE  40) 


20  www.csoonline.com  December  2003 


Need  to  comply  with  regulatory  require¬ 
ments  for  data  privacy  and  security? 

Or  meet  internal  business  requirements 
and  policies?  Then  you  need  Entegra. 

Entegra  is  a  comprehensive  data 
integrity  solution  that  helps  your  enter¬ 
prise  address  compliance,  risk,  security, 
and  operations  requirements.  Know 
how  your  data  assets  are  being  used. 
Account  for  who’s  accessed  what  infor¬ 
mation  -  and  what  changes  were  made. 

Find  out  more.  Request  your  free 
white  paper,  "Data  Access 
Accountability  -  Who  Did  What  To 
Your  Data  When?"  by  visiting 

www.lumigent.com/go/cso. 

Or  call  us  at  1  866-LUMIGENT 

(1-866-586-4436). 


Safeguarding  the  integrity  • 
and  availability  of  enterprise  data 


Copyright  ©  2003  Lumigent  Technologies,  Inc.  All  rights 
reserved.  Lumigent,  Entegra  and  the  Lumigent  Logo  are  trade¬ 
marks  or  registered  trademarks  of  Lumigent  Technologies,  Inc. 


If  someone  viewed  your  most  sensitive 
corporate  information,  who  would  know? 


v  ' 


msm-, 

sKitZiK*' 


The  Who,  What  and  Why  of  Washington 

Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 


Coming  Attractions 

Here’s  a  look  at  who  and  what  will  take  the  floors  of  the  House  and 
Senate  in  the  months  ahead  By  Julie  Hanson 


HEN  CONGRESS 
returns  from  its  holiday  break,  the  2004  pres¬ 
idential  race  will  be  swinging  into  high  gear. 
So  what  bills  and  issues  will  be  flooding  the 
House  and  Senate  floors?  Analysts  say  that 
privacy  and  security  will  remain  hot  topics 
but  warn  that  if  CISOs  and  CSOs  do  not 
make  their  voices  heard,  their 
needs  won’t  be  met. 

In  this  congressional  session, 
more  than  75  privacy  and  secu¬ 
rity  bills  are  on  the  agenda, 
approximately  50  in  the  House 
and  26  in  the  Senate.  A  major¬ 
ity  of  those  bills  ask  companies 
in  the  private  sector  to  manage 
security  in  the  business  by  pro¬ 
tecting  their  customers’  data, 
while  complying  with  govern¬ 
ment  regulations  for  sharing 
information,  says  Michael  Ras¬ 
mussen,  Forrester  analyst  and  a  vice  president 
at  the  Information  Systems  Security  Associa¬ 
tion,  or  ISSA.  With  Sarbanes-Oxley  compli¬ 
ance  deadlines  arriving  in  mid-2004,  the 
pressure  is  on  to  comply. 

Richard  Hunter,  vice  president,  research 
director  and  Gartner  fellow,  is  watching  the 
Notification  of  Risk  to  Personal  Data  Act 
(S.  1350),  which  would  require  businesses 
and  government  agencies  to  notify  individu¬ 
als  when  they  have  been  hacked  and  there  is  a 
possibility  of  unauthorized  access  to  the 
individuals’  personal  information.  This 
act,  sponsored  by  Sen.  Dianne  Feinstein 
(D-Calif.),  is  modeled  in  part  after  a  bill  that 
passed  in  California. 

Hunter  says  he  sees  a  continuing  trend  in 
consumer  protection  and  opt-in  type  require¬ 
ments  for  businesses  that  use  the  Internet 
to  communicate  with  their  clients.  Take,  for 
example,  the  more  than  50  million  phone 


numbers  included  in  the  National  Do  Not 
Call  registry.  “Historically  in  the  U.S.,  once 
you  disclosed  something  to  a  business  we 
considered  it  not  private,  but  this  is  chang¬ 
ing,”  says  Hunter. 

Shannon  Kellogg,  RSA  Security  director  of 
government  affairs,  thinks  we  will  see  more 
identity  theft  and  e-security 
bills.  Although  identity  theft 
has  received  a  great  deal  of 
attention,  Kellogg  is  not  sure 
we ’ll  see  a  bill  pass  this  year. 
However,  on  the  privacy  front, 
he  notes  that  there  is  growing 
interest  in  Rep.  Cliff  Stearns’ 
(R-Fla.)  Consumer  Privacy 
Protection  Act  of  2003  (H.R. 
1636).  This  act  would  require 
that  data  collectors  notify 
consumers  as  to  who  is  using 
their  data  and  for  what.  The 
act  also  gives  consumers  the  opportunity  to 
limit  the  sale  or  disclosure  of  their  personal 
information. 

“We  are  seeing  a  lot  of  attention  in  Con¬ 
gress  focused  on  consumer  issues:  security, 

ID  theft  and  privacy.  I  see  this  continuing  into 
the  new  year,”  says  Kellogg. 

This  trend  means  a  lot  of  work  for  the  CSO 
and  perhaps  the  chief  risk  officer  to  manage 
compliance.  Rasmussen,  though,  rarely  sees  a 
CSO  stamp  on  legislation  reviewed  by  Con¬ 
gress.  “There  are  a  lot  of  challenges  people 
have  to  face  right  now,  especially  the  CISO.  It 
bothers  me  that  their  voice  is  not  heard  in 
Washington  and  that  it’s  the  security  vendors 
that  have  the  biggest  voice,”  he  says.  ■ 

News  from  Washington 

To  read  more  about  what’s  happening  in  Washington,  D.C., 
visit  our  website  at  www.csoonline.com/wonk. 


A  bipartisan  group  of  senators  is 
proposing  legislation  that  would  amend 
several  controversial  provisions  of  the 
USA  Patriot  Act.  The  Security  and 
Freedom  Ensured  Act  (S.  1709)  would 
make  it  harder  for  the  FBI  to  conduct 
roving  wiretaps,  obtain  library  records 
and  delay  notice  of  search  warrants. 

A  bill  that  would  criminalize  the  sending 
of  “predatory  and  abusive"  e-mail  was 
approved  by  the  Senate  Judiciary  Com¬ 
mittee  and  moved  to  the  Senate’s 
docket.  The  Criminal  Spam  Act 
(S.  1293)  sets  criminal  and  civil  penal¬ 
ties  for  transmitting  spam  with  the 
intent  to  deceive  or  mislead  recipients 
as  to  the  origin  of  such  messages, 
falsifying  header  information,  using  fake 
identities  to  set  up  multiple  e-mail 
accounts  and  accessing  a  protected 
computer  with  the  intention  of  sending 
out  spam. 

The  House  Committee  on 
Government  Reform  is  conducting  an 
extensive  review  of  all  Transportation 
Security  Administration  (TSA)  opera¬ 
tions,  with  a  specific  focus  on  airline 
passenger  screening.  In  a  letter  to  TSA 
Administrator  James  Loy,  Committee 
Chairman  Tom  Davis  (R-Va.)  says  that 
recent  incidents  where  passengers 
made  it  through  TSA  screenings  and 
brought  weapons  onto  planes  partially 
prompted  this  discovery. 

Homeland  Security  Secretary  Tom 
Ridge  has  appointed  longtime  aide 
Duncan  Campbell  as  the  new  chief  of 
staff  for  the  Department  of  Home¬ 
land  Security.  Before  working  at  the 
DHS,  Campbell  was  the  director  of 
intergovernmental  affairs  for  the  White 
House  Office  of  Homeland  Security. 
Prior  to  that,  he  served  as  executive 
director  of  the  Republican  Governors 
Association  and  as  Pennsylvania's  state 
director  for  the  Bush-Cheney  2000 
election  campaign. 


22  www.csoonline.com  December  2003 


PHOTO  BY  AP/WIDE  WORLD  PHOTOS 


(ISC)2':  SUPPORTING  INFORMATION 
SECURITY  CAREERS  AT  EVERY 


,  .  ,  _  HI 

'  -.M-. 


Achieve  the  future  you  envision,  no  matter  where  you  are  in  your  career  path,  with  support  uniquely  tailored  for 
information  security  professionals.  (ISC)2  provides  credentials  that  are  the  Gold  StandardSM  of  the  industry,  training 
seminars,  peer  networking  opportunities  and  other  career  enhancement  strategies.  Find  out  more  about: 

■  Associate  of  (ISC)2  -  recognition  for  students  or  those  just  starting  out 

■  Certified  Information  Systems  Security  Professional  (CISSP)  -  for  strategist  professionals 

■  Systems  Security  Certified  Practitioner  (SSCP)  -  for  tacticians 

■  Concentrations  in  Architecture,  Engineering  and  Management  for  those  with  specialty  skills 


For  more  information  on  training  or  certification,  please  call 

1-888-333-4458 


©  Copyright  2003,  (ISC)2,  Inc.  All  rights  reserved.  All  marks  are  the  property  of  the  International  Information  Systems  Security  Certification  Consortium,  Inc. 


Flashpoint 


The  Renaissance 
oftheCSO 

Tomorrow’s  jobs  will  broaden  the  skill  set  and  deepen 
the  knowledge  level  required  of  security  executives 

By  David  H.  Holtzman 


E  LIVE  IN  THE 
present  but  work  in  the  future.  And  secu¬ 
rity  officers  can’t  just  react  to  yesterday’s 
and  today’s  problems— they  must  also  avert 
tomorrow’s.  Some  of  this  predictive  security 
will  become  specialized  enough  to  turn  into 
new  types  of  jobs  or,  at  the  very  least,  cer¬ 
tified  skills. 

Comprehensive  formal  security  training 
hasn’t  become  mainstream,  but  it  will. 

Today’s  security  officers  learned  from  on- 
the-job  training  and  a  sprinkling  of  spe¬ 
cialized  certificate  programs.  The  security 
expert  of  tomorrow,  however,  will  have  to 
be  an  expert  in  a  variety  of  trades. 

Familiarity  with  computer  systems  will 
be  a  given,  as  it  is  today.  But  predictive 
security  is  broader  than  “rounding  up  the 
usual  suspects”  after  a  crisis.  It’s  more  akin 
to  law  enforcement  profiling.  Knowledge 
of  psychology,  familiarity  with  other  lan¬ 
guages  and  cultures,  and  strong  interper¬ 
sonal  skills  will  be  crucial  components  for  these  security  seers.  Like  cops,  they  will 
have  to  develop  a  sixth  sense  for  wrongness,  whether  caused  by  odd  employee 
behavior  or  the  way  that  the  lights  on  the  router  are  blinking. 

In  this  new  era,  the  job  titles  will  be  different  too.  Instinctual  counterintelligence 
professionals  who  specialize  in  penetration  assessments  and  honey  pots  will  be  in 
demand  to  establish  a  first  line  of  defense.  The  technique  behind  catching  crimi¬ 
nals  will  be  secondary  to  understanding  where  to  set  the  trap. 

Online  profilers,  like  their  contemporary  law  enforcement  counterparts,  will 
study  the  obstructions  that  human  beings  create  in  the  orderly  flow  of  cyberspace. 
By  studying  employees’  and  customers’  behaviors,  the  analysts  will  be  able  to 
anticipate  virtual  and  physical  risks  and  dangers. 

Another  type  of  work  will  be  data  archeology,  or  the  excavation  of  buried  infor¬ 
mation.  At  its  simplest,  this  process  will  examine  physical  devices  for  hidden  dig¬ 
ital  goods.  For  instance,  my  USB  watch  has  enough  storage  on  it  to  shelve  two  or 


three  novels,  and  it  would  be  a  great  way  to  smuggle 
trade  secrets  out  of  a  building.  At  a  deeper  layer,  data 
archeology  will  entail  differentiating  between  meaning¬ 
ful  information  and  white  noise  in  a  data  stream,  or  root¬ 
ing  out  messages  concealed  inside  other  content. 

Reconstruction  of  an  attack  currently  requires  data 
forensics  experts,  but  their  effectiveness  will  be  aug¬ 
mented  by  a  new  breed  of  auditors  charged  with  tracking 
the  history  and  disposition  of  all  electronic  corporate 
information.  Companies  will  have  to  ensure  that  infor¬ 
mation  is  erased  at  appropriate  times  and  that  covenants 
that  are  attached  to  customer  information  stay  perma¬ 
nently  linked  to  those  records.  This  will  be  the  only  way 
to  be  verifiably  compliant  in  the 
evolving  world  of  global  privacy 
regulation.  The  detailed  analysis  of 
log  files  and  examination  of  records 
generated  by  data  auditors  will  also 
help  close  security  holes. 

There  wall  also  be  data  extermi¬ 
nators  who  wall  track  down  every 
cloned  copy  or  subset  of  a  file  and 
purge  it.  That  is  harder  than  it 
sounds,  yet  for  a  CSO  whose  com¬ 
pany  would  otherwise  spend  eight 
months  in  a  courtroom  defending 
itself  against  damaging  e-mails  or 
files  hidden  within  the  network,  it’s 
a  priceless  service.  This  includes  the 
“Wall  Street  Special,”  or  deletion  of 
old  e-mail  as  soon  as  it  is  legally 
permissible.  A  less  technical  but 
equally  critical  function  will  be  the 
disk  destroyer.  Studies  have  shown 
that  three  out  of  four  junked  com¬ 
puters  have  data  on  them.  Savvy 
companies  will  insist  on  internal 
degaussing  and  outright  physical 
destruction  of  unused  disk  drives. 
Lest  we  forget,  several  of  the  incriminating  notes  that 
Monica  Lewinsky  drafted  to  President  Clinton  were  never 
sent.  They  were  recovered  from  deleted  areas  of  her  com¬ 
puter’s  drive. 

The  mundane  chore  of  security  by  interdiction  is  mor¬ 
phing  into  the  more  difficult  task  of  security  by  imagi¬ 
nation.  If  the  enemy  can  think  it,  they  can  almost 
certainly  do  it,  and  the  security  officers  of  tomorrow  will 
have  to  branch  out  their  skills  in  all  of  these  areas  to 
keep  pace.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  as  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david « globalpov.com. 


24  www.csoonline.com  December  2003 


ILLUSTRATION  BY  ISABELLE  CARDINAL 


Thursday,  December  4th 

>  Somerset,  NJ 

Somerset  Marriott 

>  San  Francisco,  CA 

The  Palace  Hotel 

>  Washington,  DC 

Ronald  Reagan  Building 
&  Int'l  Trade  Center 


Friday,  December  5th 

>  Philadelphia,  PA 

The  Desmond  Hotel  - 
Malvern 

>  San  Jose,  CA 

San  Jose  Marriott 

>  Toronto,  Ontario 

Sutton  Place  Hotel 


Tuesday,  December  9th 

>  Boston,  MA 

Boston  Harbor  Hotel 


All  seminars  will  commence  at  8am 
and  conclude  at  9:30am.  Breakfast 
will  be  served  from  7:30am. 


Exposures  Exposed 
Vulnerabilities  Vanquished 

Educational  Seminars  on  Proactive  Network  Security 

You  are  cordially  invited  to  a  breakfast  seminar  where 
you  will  learn  how  the  latest  advances  in  proactive 
security  measures  can  significantly  reduce  network  risk. 
You  already  have  a  variety  of  critical  reactive  security 
solutions  in  place.  But  you're  increasingly  under  siege 
from  escalating  vulnerabilities  that  show  no  sign  of 
abating.  Preventive  measures  that  nip  potential  hacker 
attacks  in  the  bud,  before  they  occur,  is  the  new  "need 
to  know"  science  of  vulnerability  management 

Learn  how  to  discover  network  problems,  assess  their 
risk  and  protect  your  data  in  cost-effective  ways  with  the 
industry's  latest  proactive  network  security  solutions. 

This  is  a  free  seminar  that  you  can't  afford  to  miss. 

Register  today  at  888-464-2900  or 
www.ncircle.com/seminars 


hursday,  December  4th 


>  Somerset,  NJ 

>  San  Francisco,  CA 

>  Washington,  DC 


■sill 


■  A 


■ 


nHSHH H 


>  Philadelphia,  PA 

>  San  Jose,  CA 

>  Toronto,  ON 


>  Boston,  MA 


sponsored  by: 

Circle 


riday,  December  5th 


%  December  9th 


The  CSO  Perspectives  Conference 


April  18 -20, 2004 
La  Costa  Resort  &  Spa 
Carlsbad,  California 


As  an  executive  responsible  for  securing  and  protecting  your  organization’s  assets  and  infrastructure, 


you  must  constantly  weigh  the  needs  of  the  business  against  the  potential  security  risks  likely  to  result 
from  each  endeavor  or  initiative.  How  much  risk— and  in  what  specific  areas— is  acceptable  in  your  cor¬ 
porate  culture?  What  are  your  potential  legal  liabilities?  How  do  you  comply  with  the  shifting  regulatory 
landscape?  How  do  you  agree  upon,  implement  and  continuously  communicate  the  need  for  security 
throughout  the  organization? 


The  CSO  Perspectives  Conference 

will  provide  you  with  an  educational  and 
networking  opportunity  designed  for 
senior  security  executives  whose  concern 
is  the  often  delicate  balance  of  risk  and 
security:  chief  security  officers  (CSOs), 
chief  information  security  officers  (CISOs) 
and  chief  information  officers  (CIOs). 

You’ll  gain  firsthand  knowledge  from  your 
peers— professionals  who  have  grappled 
with  the  same  issues  and  challenges 
you're  facing,  as  well  as  from  experts  in 
law,  government  and  industry. 


We’ll  focus  on: 

>  Lessons  Learned  in  a  Crisis 

>  Legal  Liability  Issues 

>  Protecting  Intellectual  Property 

>  The  Psychology  of  Security 

>  Keeping  Security  a  Top  Priority 

>  Ethics— What  are  the  Boundaries? 

>  The  Impact  of  Homeland  Security 
and  the  Patriot  Act 

>  Business  Continuity/Disaster 
Recovery 

>  The  Security/IT  Relationship 


Join  us.  Call  800.366.0246  or  visit 
www.  csoperspecti  ves.  com 


CSO 

The  Resource  for 
Security  Executives 


Weighed  Down  by  Security  Data? 


With  neuSECURE™,  industry-leading  software 
from  GuardedNet,  you  can  transform  those 
mountains  of  raw  security  event  data  into  what 
you  really  need  -  knowledge  to  help  you  manage 
your  organization’s  security  posture. 


Ken  Pfeil  called  “ Best  Practices  for  Incider 
Response ”,  call  1-888-599-8297  or  visit 


neuSECURE:::  threat  management  process 


Knowledge 


Firewalls 


Centralize  Anal 


Routers 


Correlate  Priori 


Op  Systems 


Applications 


Others 


neuSECURE  is  a  security  managemei 
incident  response  platform  for  log  as 
event  correlation,  threat  analysis,  th 
and  forensic  investigation 
of  security  event  data 
from  firewalls,  IDS’,  hosts 


facilitates  real-time 

attack  detection,  investigation  and  respon; 


generates  a  wide  range  of  reporting  optio 
operations,  management  and  audit  compl 


Transforming  Security  Data  Into  Knowledge 


Where’s  here?  For  the  CSO,  here  is  the  promise  of  larger 
budgets  and  a  seat  at  the  executive  table.  But  here  is  also  the 

challenge  of  intrusion  detection,  government  regulation, 
inteUectual  property  theft  and  perimeter  security. 

For  Starbucks  CSO  Francis  D’Addario,  here  is  a 
cash  register  whose  till  is  short  $25.  For  Matthew 
Devost,  a  founding  director  of  the  Terrorism 
Research  Center,  here  is  an  airplane 
commandeered  by  a  terrorist.  For  Michail 
Bletsas,  director  of  computing  at  MIT’s 
Media  Lab,  here  is  a  desktop  with  faulty 
encryption.  For  American  Electric  Power 
CSO  Michael  Assante,  here  is  a  dark  office  amid 
a  statewide  blackout.  And  for  Genzvme  CSO 
Dave  Kent,  here  is  a  building  made  of  glass  in  a  world 
where  intellectual  property  theft  lurks  in  the  bushes. 

In  other  words,  here  is  the  CSOs’  current  reality— 
and  it  s  what  they’ll  need  to  face  before  they  can  move 
forward. 

To  get  from  here  to  there  means  creating  a 
profitable  environment— one  that  is  also 
comfortable  and  safe.  It  means  predicting 
the  next  form  of  terror  and  understanding 
the  convergence  of  physical  and  IT  threats. 
And  it  means  developing  clear  guidelines  to 
protect  the  critical  infrastructure. 

The  final  destination  of  every  company’s  road 
map  to  security  may  be  different,  but  you  will  face 
many  of  the  same  challenges  as  the  CSOs  above.  What 
does  here  look  like  for  your  company?  And  then,  where  do 
you  go  from  here? 

In  this  special  issue,  we’ve  asked  CSOs,  security  experts  and 
researchers  to  share  their  perspectives  on  the  scenery,  detours  and 
bumps  in  the  road  that  they’ve  encountered  on  their  journey  from 
here  to  there.  We’ll  help  you  plot  where  you  are,  where  Washington 
is  in  terms  of  legislation,  what  the  future  holds  for  technology7  and 
where  the  bad  guys  hide. 

You  don’t  nave  a  minute  to  waste.  Start  here .  -Kathleen  Can 


OUT 


December  2003  www.csoonline.com  27 


THE  CSO  ROLE 


Job 


m  m  m 

escnptions 


We  couldn’t  think  of  a  better  way  to  get  at  the  state  of  an 
emerging  pn 
practitioners, 
questions  ' 
how 


ecurity  Steeped  in  Culture 

Francis  D’Addario,  CSO,  Starbucks  People  often  talk  about  embedding 
the  practice  of  security  into  the  business  processes  of  an  enterprise. 
Francis  D’Addario,  the  CSO  of  Starbucks,  has  taken  that 
notion  one  step  further.  D’Addario’s  Partner  and  Asset 
Protection  group  literally  steeps  in  the  Starbucks  cul¬ 
ture  and  philosophy.  In  practice,  security  at  Star- 
bucks  is  entirely  aligned  with  corporate  values  of 
trust,  dignity  and  quality  assurance,  all  in  the  serv¬ 
ice  of  creating  a  customer  experience  that  is  both 
globally  consistent  and  locally  relevant.  And,  of 
course,  profitable  for  the  company. 

And  profitability  depends,  to  a  great  extent,  on 
the  safety  and  comfort  level  of  every  Starbucks  loca¬ 
tion.  Fast-food  restaurant  chains  do  a  high -volume,  mostly 
cash  business.  As  such,  they  are  well-known  robbery  targets.  If  the  peo¬ 
ple  inside  a  Starbucks  store  are  edgy,  it  should  only  be  because  of  the 
caffeine.  When  you  walk  in,  you’re  supposed  to  find  a  congenial  little 
oasis  where  you  can  chill  out,  tap  into  the  wireless  cloud  and  discon¬ 
nect  from  the  worries  of  the  world. 

D’Addario  sees  a  direct  link  between  his  work  and  the  ability  to  sus¬ 
tain  that  kind  of  environment.  “There’s  been  a  school  of  thought,  from 
time  to  time  in  different  organizations,  that  the  security  mission  is 
something  that  is  competitive  with  operations,”  he  says.  “In  this  com¬ 
pany,  it’s  pretty  well  interwoven  in  the  culture.” 

He  got  his  start  in  law  enforcement  more  than  25  years  ago,  ana¬ 
lyzing  crime  data  to  discern  relevant  geographical  patterns  (“It  was 


Francis  D’Addario, 
Starbucks’  VP  of 
Partner  and  Asset 
Protection,  has 
blended  security 
into  the  coffee 
giant’s  “culture 
of  trust.” 


28  www.csoonline.com  December  2003 


December  2003 


www.csoonline.com 


PHOTO  BY  GARY  BENSON 


pretty  interesting  putting  the  human  behavior  to  what  the  logical 
coordinates  were”).  He  remains  a  believer  in  data  as  a  driver  of  secu¬ 
rity  management.  “We  do  an  orientation  that  has  been  described  as 
‘protecting  the  Starbucks  experience  by  the  numbers.’  And  I’d  say 
today  that  the  logical  consequence  of  relevant  information  [pro¬ 
vides]  almost  a  dashboard  of  key  performance  metrics.  I  mean  this 
in  terms  of  the  capability  to  assess  risk  by  analyzing,  say,  robberies 
per  thousand  units  to  determine  the  financial  return  on  prevention 
investments,”  he  says.  In  such  an  exercise,  D’Addario  would  look  ati 
both  “the  incident  impact  risk,  which  would  be  commercial  armed 
robbery,”  and  at  the  overall  effect  of  acquiring  preventive  systems  on 
the  profitability  of  stores. 

The  Starbucks  culture  is  reflected  in  the  habit  of  referring  to  the 
folks  who  sell  you  your  double  low-fat  latte  as  “partners,”  not  as 
employees.  Among  the  unofficial  partner  benefits  is  the  benefit  of  the 
doubt.  Thus,  in  the  area  of  loss  prevention,  the  security  group  behaves 
less  like  investigators  and  inquisitors  than  like  polite  observers  of  a 
sudden  unexpected  performance  variance  in  a  particular  store,  at  such 
and  such  a  register,  during  such  and  such  a  shift.  “We  have  an 
exception-based  reporting  system  that  allows  us  to  analyze  the  activ¬ 
ity  of  all  partners  from  the  same  [store]  and  to  broadly  look  at  their 
activity  against  performance  rules,”  says  D’Addario.  Those  rules 
“allow  us  to  see  how  particular  individual  performances  stack  up  in 
a  district  or  a  region,  [and]  to  know  not  only  whether  the  exceptional 
behavior  is  peculiar  to  the  store— our  interest  gets  perked  if  it  is  also 


■ 


peculiar  to  the  district  and  the  region.” 

When  a  variance  is  noted,  a  letter  is  sent  to  the  individual  partner 
(with  a  copy  to  the  store  manager)  “stipulating  what  the  activity  was 
that  we  saw  and  asking  for  a  discreet  explanation.”  Such  a  letter, 
says  D’Addario,  “is  meant  to  be  instructive.  It  instructs  the  partner 
on  policy.  In  context,  it  becomes  a  warning  mechanism.”  Starbucks 
observes  a  three-strikes  policy  that,  after  repeated  unexplained  vari¬ 
ances,  can  culminate  in  a  partner’s  termination.  “Typically,  when  the 
activity  is  truly  exceptional,  the  letters. ..show  a  significant  return  on 
investment  over  a  number  of  weeks.”  In  other  words,  the  letters 
make  the  problem  go  away.  The  fact  that  a  partner  may  get  the  ben¬ 
efit  of  the  doubt  in  such  a  situation  is  in  keeping  with  the  Starbucks 
“culture  of  trust”  and  contributes  more  effectively  to  the  goal  of 
maintaining  a  congenial  atmosphere  in  the  stores  than  more  intru¬ 
sive  investigations  would. 

“It’s  not  only  tangible  fiscal  objectives  being  reached;  there’s  also 
the  fun  that  happens  in  the  store  that  you  witness  as  a  customer,”  says 
D’Addario.  If  someone  is  stealing  in  a  store,  he  says,  “that  affects  the 
amount  of  labor  that  is  scheduled;  it  affects  the  speed  of  service  and 
the  cleanliness  of  that  store;  it  affects  the  ability  of  that  partner  to 
spend  several  moments  with  you  to  ask  how  your  vacation  was  or  bej 
able  to  entice  you  to  try  a  new  offering.  When  organizations  don’t 
have  accountability  and  a  commitment  to  quality  throughout,  then 
they  begin  to  miss  the  opportunities  of  really  having  added  value  in 
the  customer  experience.” 

Starbucks,  he  adds,  “is,  happily,  the  most  unusual  environment  I’ve 
had  the  benefit  of  working  in.  I  say  that  because  executive  manage¬ 
ment  walks  the  talk  here,  from  a  corporate  social  responsibility  point 
of  view.  The  whole  enticement  of  being  a  large  successful  company 
is  really  balanced  by  our  ability  to  connect  with  each  and  every  cus¬ 
tomer.  I  believe  when  we’re  operating  in  Lebanon  or  China  or  Japan, 
it’s  not  this  big  American  company  that  has  this  global  face.  There’s 
all  these  local  people  in  there  listening  to  the  music  and  enjoying  their 
beverages.  And  it’s  very  interesting  to  visit  and  see  this  experience 
happening,  where  there’s  a  celebration  and  a  connection....  And  it 
works  quite  well.” 


Change  Is  Tour  Friend  (Sometimes) 

Linda  Stutsman,  CISO,  Xerox  If,  as  the  old  mantra  says,  change  is 
good,  then  Xerox  CISO  Linda  Stutsman  is  in  her  happy  place  indeed. 
In  the  past  year,  Stutsman  says,  “We  have  evolved  from  an  informa¬ 
tion  security  organization  to  an  information  risk  management  and 
compliance  office.”  More  than  a  name  change,  the  move  puts  new 
responsibilities  on  Stutsman’s  plate— privacy  and  regulatory  com¬ 
pliance  as  it  applies  to  information  security.  And  the  company  has 
created  an  InfoRisk  Council  comprising  senior  business  managers 
from  every  Xerox  unit  around  the  world.  The  group  is  charged  with 
determining  the  appropriate  risk  level  for  each  particular  business 
unit  and,  from  there,  providing  direction  for  Stutsman’s  group  to  sup¬ 
ply  each  part  of  Xerox  with  appropriate  technical,  strategic  and 
budgeting  levels  for  information  security. 


30  www.csoonline.com  December  2003 


PHOTO  LEFT  BY  FOREST  MCMULIIN;  RIGHT  BY  JEFF  SCIORTINO 


December  2003  www.csoonline.com  31 


The  difference,  as  she  explains  it,  is  that  a  true  CSO/CISO  position 
calls  for  “analytic,  strategic  planning,  prioritization,  communication 
at  an  executive  level,”  along  with  an  understanding  of  “profitability, 
not  just  revenue.”  During  her  four  years  at  ABN  Amro,  those  traits 
helped  O’Bryan  morph  security  from  a  function  that  “nobody  listened 
to”  into  a  group  that  was  included  and  heeded  in  the  early  planning 
stages  of  IT  and  business  projects. 

Disenchanted  by  her  observations  of  the  job  market— and  looking 
for  a  position  that  would  ensure  her  continued  professional  growth— 
O’Bryan  launched  her  own  consultancy.  Combining  her  IT  skills 
with  her  background  in  auditing,  she  has  developed  a  practice  to 
advise  other  executives  on  such  complex  regulatory  issues  as  the 
Sarbanes-Oxley  Act  (of  which  she  can  effortlessly  rattle  off  a  well-i 
reasoned  list  of  a  half-dozen  major  loopholes  and  flaws). 

O’Bryan  stops  short  of  saying  regulation  will  be  the  most  pro¬ 
found  shaper  of  the  security  landscape  next  year,  but  it  nevertheless 
may  become  the  most  time-consuming  aspect  of  the  CSO  position. 
“I  do  believe  that  a  CSO’s  time  spent  on  regulatory  matters  will 
increase  [significantly]  in  2004  and  incrementally  in  years  there- 


Compliance  Becomes 
a  Core  Competence 

Sharon  O’Bryan,  former  CISO  of  ABN  Amro 

Sharon  O’Bryan  can  talk  a  blue  streak  about  regulation,  audit  pro-| 
cedures  and  security  technology— terrain  with  which  she’s  extremely 
familiar.  But  if  you  listen  carefully,  the  undercurrent  in  O’Bryan’s] 
thoughts  seems  to  persistently  redirect  her  toward  undiscovered  ter¬ 
ritory.  She  has  a  formidable  resume,  but  O’Bryan  mostly  frames  her 
own  career  as  being  less  about  achievement  than  about  personal 
development. 

O’Bryan  left  banking  giant  ABN  Amro  NA  in  May  (she  was  CISO 
and  senior  vice  president)  in  the  wake  of  turmoil  at  the  top.  CEO 
Harr}' Tempest— whom  O’Bryan  describes  as  “very  well  read  on  mat¬ 
ters  of  technology  risk”— retired,  as  did  the  CIO  to  whom  O’Bryan 
reported.  (See  “Called  to  Account,”  www.csoonline.com/printlinks,  for 
more  on  her  work  at  the  Dutch  bank’s  North  American  arm.)  While 
O’Bryan  lined  up  several  interviews  in  short  order,  she  wasn’t  crazy 
about  what  she  found.  After  a  year  of  watching  her  information 
security  function  rise  in  prominence  at  ABN  Amro,  her  job  search 
uncovered  a  dispiriting  reality:  “Many  organizations  are  using  the 
terms  CSO  or  CISO,  but  the  job  is  really  one  of  an  information  secu¬ 
rity  manager.” 


Xerox’s  moves  illustrate  many  themes  that 
Mill  play  out  in  the  coming  year  for  information 
security  in  general  and  for  CSOs  in  particular: 
Stay  in  tune  with  business  priorities,  frame 
security  decisions  in  terms  of  appropriate  risk 
management,  and  expect  the  mixed  blessings 
that  come  with  security  regulation  in  many 
industries.  While  these  changes  are  indeed 
good  in  the  sense  that  they  mark  the  matura¬ 
tion  of  information  security  as  a  corporate  dis¬ 
cipline,  Stutsman  is  also  frank  about  the 
downside.  Additional  responsibilities  take 
additional  time.  “You  never  really  leave  this 
job  at  the  end  of  the  day,”  she  says.  And  her 
biggest  frustration  is  a  refrain  every  CISO  will 
recognize.  “The  continuing  exploitation  of 
software  vulnerabilities— it  takes  tremendous 
effort  and  stamina  to  stay  ahead  of  it,”  she  says. 

Constant  change  and  ever-accelerating  vol¬ 
umes  of  threats  might  tempt  security  leaders 
to  long  for  a  bit  of  stability.  Stutsman  is  a  real¬ 
ist  on  this  point  as  well.  “Although  we  have  a 
security  strategy  and  plans  that  we  try  to  work 
to,  we  often  need  to  reprioritize  based  on  the 
current  situation,”  she  says.  “This  really  is 
often  an  interrupt-driven  profession.” 

And  that’s  the  one  thing  that  will  never 
change. 


after,”  she  notes.  The  bulk  of  that  time  will 
involve  helping  the  rest  of  the  company  sort 
through  the  details  and  determine  what’s 
applicable  to  each  business  function. 

Many  CSOs  and  CISOs,  particularly  those 
with  a  technical  background,  may  not  count 
compliance  efforts  among  their  core  skills. 

But  from  O’Bryan’s  perspective,  at  least,  that 
only  means  you  get  another  chance  to  stretch 
yourself. 

How  the  Practice 
Grows  ancl  Matures 

Dave  Kent,  CSO,  Genzyme  Dave  Kent  can 
now  take  his  hard  hat  off.  As  vice  president 
and  CSO  of  biotech  heavyweight  Genzyme, 
he  oversaw  the  integration  of  security  com¬ 
ponents  into  the  design  and  construction  of 
the  company’s  striking  new  corporate  head¬ 
quarters  (see  “The  Architect,”  www.csoonline 
icom/printlinks).  In  October,  the  move  finally 
took  place,  and  Kent  had  a  little  more  time  to 
spend  ruminating  about  his  role— and  the 
other  hats  he  wears. 

As  busy  as  he  has  been,  Kent  fails  to  meet 
the  definition  of  the  hyperstressed  executive, 
a  breed  often  seen  to  be  victims  of  “low  deci¬ 
sion  latitude”— meaning  too  much  responsi¬ 
bility  accompanied  by  too  little  authority  (see 
“Stressed  To  Kill,”  www.csoonline.com/print 
links).  “My  job  satisfaction  continues  to  be 
high,”  he  says.  “Business  is  good  and  interest¬ 
ing.  I'm  working  with  a  great  team  and  having 
fun.  I  have  a  flexible  schedule,  generally  travel 
on  my  own  agenda,  and  the  company  encourages  a  good  work-life 
balance.”  When  asked  whether  he’d  want  his  kid  to  grow  up  to  be  a 
CSO,  he  says,  “In  this  environment,  yes.” 

While  the  practice  of  security  at  Genzyme  hasn’t  changed  much 
during  the  past  year,  he  says,  “Organic  growth  and  acquisition  have 


increased  the  company’s  scale  and  complexity.  And  there  is  more 
emphasis  on  developing  a  global  perspective.” 

Is  his  job  harder  or  easier  today  than  it  was  in  the  past?  Kent  offers 
up  a  mixed  bag.  “Each  successful  year  builds  a  positive  group  reputation 
and  makes  influencing  decisions  easier.”  But  Genzyme’s  growth  spurt 


Fearless  Predictions:  Freelance  Terror 

££  rr^lhc  war  on  terrorism  and  organized 

crime  will  continue  to  fracture  terrorist 
-L  and  organized  crime  networks.  That  may 
result  in  independent  operations  that  resort  to 
kidnapping,  extortion,  commercial  armed  robbery 
and  Ccirgo  tlictt  for  self-funding.” 

-FRANCIS  D’ADDAKIO,  VI*  ()1  PARTNER  AND 
A$SKT  PROTECTION*  STAR  IUCKS 


32  www.csoonline.com  December  2003 


PHOTO  LEFT  BY  GARY  BENSON;  MIDDLE  BY  JASON  GROW;  RIGHT  BY  PETER  VIDOR 


•  (  i  ,  v  ft.  '  A 


>:mj| 


'  ^ 


m 


'-Op'~ 


lias  brought  its  share  of  challenges.  “The  main  difficulty 
is  tied  to  acquisitions,”  he  says.  “In  this  industry,  [com¬ 
panies]  often  have  no— or  unsophisticated— approaches 
to  security.  This  is  because  of  a  lack  of  experience  or  an 
inherent  disbelief  in  the  value  of  what  [security  has  to 
offer].  As  a  result,  educating  and  influencing  in  these 
environments  is  hard  and  time  consuming.” 

Nonetheless,  he  says,  “a  significant  majority  of  the 
corporation  values  our  involvement,  particularly  at  the 
planning  stage  [of  business  initiatives].  A  few  loca¬ 
tions— primarily  those  that  think  security  is  a  low-bid, 
facility-related  issue  only— still  need  to  be  convinced.” 

Kent,  who  claims  never  to  have  seen  his  own  job  description  (he 
suggests  that  it  ought  to  read,  “Provide  professional  security  services 
and  other  duties  as  required”),  is  a  pretty  good  convincer.  He 
approaches  the  challenges  of  security  governance  with  a  well-honed 
sense  of  humor.  When  asked  how  his  boss  evaluates  his  performance, 
he  says  “by  the  group  compliment-to-complaint  ratio!”  He  reports  to 
Genzyme’s  executive  vice  president  for  human  resources,  an  arrange¬ 
ment  that  he  says  “works  quite  well  [because]  we  are  able  to  oper- 
ate  as  an  independent  entity  serving  the  management  team.” 

One  of  security’s  main  success  factors  is  having  “a  strong  ability  to 
control  the  agenda,  based  on  a  thorough  understanding  of  business 
goals,  time  lines  and  objectives.  We  have  credibility  on  tactical-level 
security  matters.”  Building  credibility  is  a  long-term  play.  Even  secu¬ 
rity  incidents  present  reputational  opportunities.  Kent’s  group  has 
gained  “access,  acceptance  and,  ultimately,  inclusion  by  demonstrat¬ 
ing  quiet  competence  when  bad  things  happen,  [and]  then  using  the 
moment  to  build  support  for  future  goals,  objectives  or  projects.” 

While  he  concedes  that  there  is  sometimes  tension  over  the  cost 
of  security  investments,  “linking  everything  we  do  back  to  the  com¬ 
pany’s  agenda”  keeps  the  business  and  security  objectives  aligned. 

During  the  past  year,  Kent  says,  he’s  been  pleased  with  the  extent 
to  which  “the  importance  of  a  complete  integrated  approach  to  secu¬ 
rity  is  becoming  clearer.”  His  priorities  for  the  coming  year  include 
“continuing  this  process  of  integration  of  physical,  information,  sup¬ 
ply  chain  and  vendor  security  programs,  worldwide,  and  to  extend 
evaluation  and  controls  to  key  suppliers  and  partners.” 

The  things  that  keep  him  awake  at  night  are  perhaps  the  same 
sorts  of  worries  that  keep  every  CSO  from  sleeping  well:  “the  personal 
safety  of  my  fellow  employees  living  and  working  in  difficult  areas  of 
the  world;  security  of  voice  and  data  systems,  particularly  those  that 
are  accessed  by  third  parties;  the  screening  of  employees  and  non¬ 
employees  (meaning  temps,  contractors,  consultants)  in  countries 
that  have  poor  records  or  that  deny  [access  to]  records.” 

Finally,  if  he  needs  a  second  opinion  on  anything,  he  draws  freely 

Ask  Joyce  Brocaglia  a  Question 

Joyce  Brocaglia,  CEO  of  Alta  Associates,  is  CSOonline.com’s  resident  career  expert.  Visit 

CAREER  ADVISER  and  ask  her  your  questions.  Go  to  www.csoonline.com/adviser. 


- 


on  contacts  with  other  security  executives  he  has  met  through  pro¬ 
fessional  membership  associations  such  as  the  International  Security 
Management  Association.  “Only  on  a  few  occasions  have  I  not  found 
help  from  cold-calling  a  person  in  a  similar  position,”  he  says. 

Dismissed  on  a  Technicality 

Joyce  Brocaglia,  CEO,  Alta  Associates  Joyce  Brocaglia  started  out 
specializing  in  IT  auditors  some  20  years  ago.  “What  happened  was 
we  started  getting  more  and  more  requests  for  information  security 
people.  Then,  when  infosecurity  departments  started  getting  formed, 
a  lot  of  them  [were  staffed]  out  of  IT  audit,”  says  Brocaglia,  president 
and  CEO  of  recruitment  firm  Alta  Associates.  “These  people  had  the 
necessary  technical  skills  and  an  understanding  of  compliance.”  Who 
got  to  lead  those  new  departments?  Typically,  she  says,  whoever  was 
most  technically  astute.  Mainframe  guys  with  a  deep  understanding 
of  RACF  and  TopSecret. 

But  now,  says  Brocaglia,  that  convention  has  been  turned  upside 
down:  “Today  we’re  replacing  the  most  technical  person  with  some¬ 
one  who  has  great  communication,  leadership  and  project-manage¬ 
ment  skills.”  Brocaglia  says  for  CSO-level  positions,  her  client 
companies  are  looking  for  strong  business  acumen  and— with 
Sarbanes-Oxley  and  other  legislation  breathing  down  their  necks— 
a  solid  understanding  of  regulatory  requirements.  “In  fact,  most 
searches  that  we  conduct  for  a  CSO  are  for  companies  that  already 
have  one  in  place,  and  [the  incumbent]  does  not  have  a  broad  enough 
skill  set  or  executive  presence,”  she  says. 

Among  her  other  observations  about  the  state  of  the  profession 
today,  Brocaglia  says  developing  credibility  remains  a  concern  even 
for  infosecurity  leaders  well  established  in  their  positions.  Keeping 
the  infosecurity  team  motivated  is  another  challenge,  given  budget 
squeezes  and  the  time  crunch  created  by  ever-growing  numbers  of 
threats  and  exploits. 

Looking  for  a  career  hot  spot  underneath  the  CSO  level?  Brocaglia 
says  2004  is  the  year  of  application  security,  “especially  among  finan¬ 
cial  services  companies.  They’re  looking  to  hire  people  who  can  sit 
down  with  their  developers  from  the  very  earliest  stages  and  start 
building  security  into  the  design,”  she  says.  “We’ve  got  a  half-dozen 
open  VP  positions  in  application  security,  but  those  people  are  hard 
to  find.  In  fact,  very  few  exist,  because  hardly  anybody  has  [paid 
attention  to]  application  security  before.” 


December  2003  www.csoonline.com  33 


34  www.csoonlme.com  December  2003 


PHOTO  BY  FURNALD/GRAY 


GOVERNMENT  RELATIONS 


Capital 

Ideas 


As  the  federal  government’s  influence  over  security  practices 
continues  to  grow,  CSOs  have  a  few  suggestions  for  improving 
public-private  partnership  By  Todd  Datz 


flow  of  information  and 
understanding  between 
the  public  and  private 
sectors.  “We’re  not  the 
bad  guys,”  he  says. 


RH 


N  THE  AREA  OF  SECURITY- WHETHER  IT  RELATES 
to  homeland  defense  or  to  various  industry  guidelines  and  stan¬ 
dards  of  practice— the  consistent  philosophy  of  the  Bush  admin¬ 
istration  has  been  to  emphasize  voluntary  public-private 
partnerships  and  market-driven  solutions  over  more  adversarial, 
regulation-heavy  approaches.  While  laying  off  the  regulations  is 
a  popular  course  among  private-sector  companies,  some  pieces 
of  the  partnership  puzzle  still  seem  both  frustrating  and  confus¬ 
ing  to  CSOs  and  the  organizations  they  serve. 

Questions  abound.  Does  Washington  really  understand  how 
businesses  work?  Does  it  know  enough  about  the  industries  it 
seeks  to  influence?  Is  there  money  where  the  government’s  mouth 
is?  Are  the  lines  of  communication  really  open  and  omni¬ 
directional,  or  does  too  little  information  flow  among  too 
few  parties?  Can  the  inertia  and  weird  prerogatives  of  bureaucracy  be 
overcome?  And  are  there  some  circumstances  that  call  for  compulsion 
and  not  just  voluntarism? 

CSOs  don’t  lack  a  voice  in  these  matters;  but  they  would  like  their 
voices  to  echo  a  little  louder  in  the  halls  and  hearing  rooms  of  the 
nation’s  capital.  With  that  in  mind,  we  asked  CSOs  representing  dif¬ 
ferent  industries  (oil  and  gas,  electric  power,  manufacturing  and  health 
care)  to  sound  off  on  the  Beltway  issues  that  affect  them  most,  and  to 
offer  suggestions  for  achieving  a  more  productive  public-private 
relationship  in  the  coming  year. 

[Editor’s  note:  In  this  story  we  use  the  terms  government  and 
Washington  more  or  less  interchangeably  and  in  a  monolithic  sense 
that,  we  concede  up  front,  is  somewhat  unfair.  Government  consists 
of  many  agencies  and  countless  individuals  and  is  often  more  variable 
in  its  actions  than  perfectly  consistent.  Nonetheless,  what  we  mean  to 


■'V  •; :a/ 

Wrifc7-*- 

;  f  -V  _ 


Government  Relations 


suggest  here  is  that  there  are  norms  of  government  conduct  that  are 
defining  and  characteristic.  The  conclusions  our  sources  draw  and  the 
prescriptions  they  propose  are  offered  in  that  spirit.] 

Get  to  Know  the  Private  Sector 

IF  A  COMMON  THEME  TIES  TOGETHER  MANY  OF  THE  THREADS 

in  this  story,  it  is  the  desire  of  CSOs  for  a  true  public-private  part¬ 
nership,  one  in  which  information  flows  in  two  directions  and  there’s 
a  greater  understanding  of  the  private  sector  on  the  part  of  Wash¬ 
ington.  Lynn  Mattice,  director  of  corporate  security  and  business 
intelligence  at  Boston  Scientific,  is  in  the  camp  that  believes  that 
both  the  executive  and  legislative  branches  have  to  do  a  better  job  of 
reaching  out  to  corporate  CSOs.  One  model  that  Mattice  strongly 
endorses  is  that  of  the  State  Department’s  Overseas  Security  Advisory 
Council  (OSAC),  which  is  a  collaborative  partnership  between  U.S. 
multinational  companies  and  the  State  Department  that  has  been 
around  since  1985.  Its  goal  is  to  help  companies  do  business  abroad 
and  to  identify  security  risks  in  foreign  locales.  CSOs  are  represented 
on  the  council. 


Though  Mattice  and  others  have  energetically  advocated  adopting 
an  OSAC-like  framework  for  dealing  with  domestic  security  issues, 
the  message  so  far  has  not  gotten  through.  He  has  encountered 
uneven  government  receptivity  to  private-sector  input.  “The  gov¬ 
ernment  has  to  understand  that  the  private  sector  isn’t  an  adversary— 
we’re  not  the  bad  guys,”  says  Mattice,  noting  that  sometimes  people’s 
perceptions  are  unfairly  tainted  by  the  Enrons  and  other  corporate 
bad  apples. 

The  government  could  also  do  a  better  job  of  understanding  the 
interrelationships  among  industries,  says  Bobby  Gillham,  manager 
of  global  security  at  ConocoPhillips  and  chairman  of  the  Energy 
ISAC.  To  illustrate  one  such  interdependency,  Gillham  notes  that  the 
regional  electric-grid  blackout  last  summer  had  the  potential  to  shut 
down  energy  pipelines  as  well.  “We’re  working  with  the  government 
now  to  better  understand  the  issues  when  there’s  a  loss  of  power  or 
[an  inability  to]  transport  natural  gas  or  petroleum  products.  What’s 
the  impact,  and  how  can  we  deal  with  it?”  he  says. 

Robert  Hayes,  a  former  CSO  and  currently  a  security  consultant, 
says  that  government  needs  a  way  of  checking  regulations  and  guide- 


a  Edward  Markey  has 
mg] B  mjp  fflWk  been  a  Massachusetts 

congressman 

1976.  As  a  Democrat,  he 

sit^WIhe  Select  Committee  on  Homeland  Secu¬ 
rity,  where  he  speaks  often  about  airline,  chemical, 
biological  and  nuclear  facilities  security.  He  also 
sits  on  the  Telecommunications  and  the  Internet 
Subcommittee,  which  is  tackling  issues  such  as 
cybersecurity,  critical  infrastructure  protection, 
spam  and  online  consumer  privacy.  Markey,  who 
cofounded  the  Congressional  Caucus  on  Privacy, 
told  us  how  the  government  still  has  a  lot  of  work  to 
do  to  tighten  security. 

CSO:  What  do  you  consider  the  greatest  unad¬ 
dressed  threat  to  homeland  security? 

Edward  Markey  Billions  of  tons  of  cargo  are  trans¬ 
ported  in  the  belly  of  passenger  planes  every  year, 
and  none  of  this  cargo  is  inspected  before  it’s 
loaded  into  the  hold  underneath  the  passenger 
compartment.  While  passengers  on  the  flight  are 
required  to  remove  their  shoes  and  submit  to 
screening,  the  crates  beneath  their  feet  pass 
unscreened  and  uninspected  onto  the  very  same 
flight.  This  is  a  dangerous  and  unacceptable  loop¬ 
hole  that  must  be  closed.  Approximately  22  percent 
of  all  the  air  cargo  shipped  in  the  United  States 
each  year  is  transported  on  passenger  planes.  A 
cargo  screening  amendment  I  offered  to  the  FY04 
spending  bill  for  the  Department  of  Homeland  Secu¬ 
rity  passed  overwhelmingly,  and  a  motion  I  made  to 
urge  the  inclusion  of  cargo  screening  in  the  depart¬ 
ment’s  spending  bill  also  passed  by  a  wide  margin. 
Unfortunately,  the  White  House  and  the  Republican 


' 


36  www.csoonline.com  December  2003 


lines  developed  by  separate  agencies  to  make  sure  they  aren’t  in  con¬ 
flict  with  one  another— a  cause  of  great  frustration  for  CSOs  who 
must  ensure  compliance.  Hayes  would  love  to  see  a  position  created 
in  the  federal  government  that  gives  one  person  oversight  of  laws, 
regulations  and  voluntary  compliance  programs;  an  office  that  pro¬ 
duces  status  reports  and  benchmarking  to  ensure  that  businesses  are 
aware  of  the  regulations  that  impact  them,  and  that  tracks  how  busi¬ 
nesses  are  complying  and  whether  security  funds  are  being  spent  in 
the  right  places. 

Homeland  Security 
Is  Powered  by  Information 

TN  THE  AFTERMATH  OF  9/ll,  THE  GOVERNMENT  PASSED  LEG- 

islation  and  proposed  regulations  to  help  prevent  another  catastro¬ 
phe.  At  the  same  time,  CSOs  took  the  initiative  to  develop  and 
implement  new  security  measures  in  response  to  the  terrorist  attacks. 
For  many  CSOs— especially  those  within  the  so-called  critical  infra¬ 
structure  industries— issues  related  to  homeland  defense  are  a  grow¬ 
ing  part  of  the  daily  agenda. 


Gillham  has  worked  closely  with  the  government  on  critical  infra¬ 
structure  issues  affecting  oil  and  gas  companies.  “They  really  do  lis¬ 
ten,”  he  says.  “They  have  the  right  attitude  about  working  in 
partnership  as  opposed  to  legislating  so  many  requirements.”  Gillham 
thinks  getting  the  right  information  to  the  right  people  in  a  timely 
manner  is  an  area  that  the  government  needs  to  focus  on.  He  says  that 
the  ISACs  are  currently  working  with  the  government  to  facilitate 
better  information-sharing. 

One  of  the  biggest  issues  on  Gillham’s  plate  is  vulnerability  assess¬ 
ments.  The  Environmental  Protection  Agency,  under  the  Clean  Air 
Act,  identified  some  15,000  RMP  sites— or  risk  management  plan 
sites,  which  store  or  utilize  hazardous  chemicals— that  require  peri¬ 
odic  security  reports  from  companies  that  use  or  store  hazardous 
chemicals.  These  sites  have  also  been  identified  as  potential  terror¬ 
ist  targets.  In  late  2001,  Sen.  Jon  Corzine  (D-N.J.),  whose  state  is 
home  to  numerous  hazardous  chemical  facilities,  introduced  legis¬ 
lation  that  would  have  required  those  companies  to  assess  their  vul¬ 
nerabilities,  improve  their  security,  and  consider  safer  alternatives  to 
their  current  methods  of  manufacturing  and  storing  chemicals, 

Corzine’s  bill  died  on  the  Senate  floor  after 
the  chemical  industry  lobbied  hard  against 
it  (it  wants  the  industry  to  voluntarily 
police  itself).  Earlier  this  year,  the  Bush 
administration  took  the  EPA  off  the  cherrri 
ical  plant  enforcement  beat  (Corzine’s  bill 
gave  the  EPA  the  power  to  mandate  safety 
measures)  and  gave  oversight  to  thej 
Department  of  Homeland  Security.  Critics 
say  this  has  done  little  to  address  the  safety 
issue,  partly  because  DHS’s  plate  is  full 
just  trying  to  organize  itself. 

“The  real,  positive  side  of  DHS,”  says 
Gillham,  “is  that  it  recognizes  that  90  per¬ 
cent  of  the  critical  infrastructure  is  in  private 
hands,  and  it  has  placed  a  responsibility  on 
us  to  do  these  vulnerability  assessments.” 
He  supports  legislation  drafted  by  Sen.  Jim 
Inhofe  (R-Okla.)  that  would  not  require 
vulnerability  assessments  to  be  filed  with 
the  government,  which  he  says  would 
make  them  potentially  available  to  public 
exposure  through  the  Freedom  of  Infor¬ 
mation  Act  (FOIA).  “That’s  a  real  concern 
to  us,”  he  says.  To  the  usual  concerns  about 
FOIA  disclosures— that  they  potentially 
risk  damaging  a  company’s  reputation 
among  stockholders,  customers  and  the 
general  public— Gillham  adds  another  rea¬ 
son.  “Any  vulnerability  information  wre  put 
out  there  could  be  viewed  as  a  road  map  for 
terrorists  to  attack  us.” 


majority  in  Congress  have  blocked  the  requirement 
that  cargo  be  screened  prior  to  loading  it  onto  pas¬ 
senger  planes.  This  unaddressed  threat  is  too 
important  to  ignore. 

Do  you  believe  that  the  government  should 
provide  greater  guidance  to  the  public  in  times 
of  heightened  security?  If  so,  what  steps  would 
you  advise  the  government  to  take? 

I  believe  that  more  detailed  warnings,  such  as  geo¬ 
graphically  specific  information,  should  be  provided 
to  the  public  if  possible.  I  have  cosponsored  H.R. 
3158,  which  is  the  Preparing  America  to  Respond 
Effectively  Act.  It  includes  a  provision  to  reform  the 
threat  advisory  system  so  that  affected  industries  or 
geographic  areas  receive  useful  information.  "Buy 
duct  tape  and  plastic  sheeting”  and  other  general 
warnings  to  be  vigilant  do  not  provide  the  public 
with  the  information  it  needs  to  respond  effectively 
when  new  threats  are  uncovered. 

In  addition  to  the  need  for  a  system  that  provides 
industry  and  geographically  specific  warnings,  more 
specific  recommendations  should  be  given  to  the 
appropriate  state  and  local  officials  when  new  infor¬ 
mation  arises  that  could  affect  their  jurisdictions. 
The  advisory  system  should  be  refined  so  that  mes¬ 
sages  appropriate  for  government  officials,  industry 
leaders  and  the  general  public  are  conveyed  when  a 
relevant  threat  emerges.  Lack  of  sufficient  security 
clearances  and  facilities  for  receiving  and  using 
classified  information  has  hindered  information  flow 
at  times.  The  Prepare  Act  requires  the  Department 
of  Homeland  Security  to  report  on  the  number  and 
level  of  security  clearances  needed  by  state  and 
local  government  officials  so  that  classified  terrorist 


threat  information  can  be  conveyed  appropriately. 

In  your  opinion,  what  are  the  Bush  administra¬ 
tion’s  single  greatest  success  and  single  greatest 
failure  in  the  war  on  terror? 

In  the  immediate  aftermath  of  9/11,  the  Bush 
administration  responded  quickly  to  explain  to  the 
public  the  nature  of  the  terrorist  threats  facing 
America.  Unfortunately,  since  then,  the  rhetoric  has 
not  been  matched  by  tangible  results  in  several  key 
areas.  For  example,  the  Bush  administration  and 
Republicans  in  Congress  have  failed  to: 

■  Close  the  dangerous  cargo  loophole,  which 
enables  unscreened,  uninspected  cargo  to  be 
loaded  aboard  passenger  planes. 

■  Provide  first  responders  with  adequate  fund¬ 
ing,  leading  the  nonpartisan  council  on  foreign  rela¬ 
tions  to  report  that  the  United  States  is  “drastically 
underfunded"  and  “dangerously  unprepared"  for 
another  terrorist  attack. 

■  Mandate  the  tough  security  measures  needed 
to  safeguard  nuclear  power  plants  from  terrorist 
attacks. 

■  Dramatically  improve  port  security  measures. 

What  role  would  you  like  to  see  corporate  CSOs 
playing  in  the  national  discourse  on  security? 

Security  executives  have  a  vital  role  to  play  in  the 
effort  to  strengthen  homeland  security.  CSOs  are 
experts  when  it  comes  to  protecting  their  own  oper¬ 
ations,  and  more  than  80  percent  of  critical  infra¬ 
structure  is  privately  owned.  We  need  the  expertise 
of  CSOs,  both  in  advisory  capacities  and  on  the 
ground,  if  another  attack  occurs. 

-Julie  Hanson 


PHOTO  BY  AP/WIDE  WORLD  PHOTOS 


December  2003  www.csoonline.com  37 


Government  Relations 


Michael  Assante,  vice  president  and  CISO  at  American  Electric 
Power,  a  Midwestern  energy  provider,  has  similar  concerns.  He’d  like 
to  see  some  guidelines  and  requirements  around  the  protection  of 
critical  infrastructure  information.  “Everyone  likes  to  talk  about  it, 
but  there  is  no  specific  guidance  to  make  sure  [such  information  is] 
exempt  from  disclosure  to  the  public.  Nor  have  any  criteria  been 
established  for  withholding  and  protecting  the  information,”  he  says, 
referring  both  to  federal  and  state  governments,  which  have  sunshine 
laws  requiring  public  disclosure.  He  also  notes  that  when  politics  are 
involved,  information  can  get  leaked  to  the  press.  “I’m  down  to  one 
option,”  he  says.  “Don’t  hand  it  over  to  somebody  because  there’s  no 
way  to  make  sure  it’s  controlled  properly.” 

Though  Hayes  calls  DHS’s  early  efforts  “first-rate,”  he  cites  some 
issues  that  come  up  repeatedly  when  he  discusses  homeland  security 
with  his  peers.  For  instance,  he  says,  “one-stop  shopping”  for  infor¬ 
mation-meaning  a  single  place  where  CSOs  can  get  the  homeland 
security-related  information  they  need.  Currently,  he  says,  you  might 
call  the  FBI  and  hear  one  thing,  then  call  the  State  Department  and 
hear  something  else.  There  is,  in  effect,  no  quality  control. 

Hayes  understands  that  the  government  can’t  reveal  all  of  the 
intelligence  a  security  executive  might  like  to  get  his  hands  on.  But 
he  believes  that  when  the  government  asks  companies  to  take  action 
of  some  kind,  they  wall  be  more  eager  to  comply  if  they  know  a  little 
more  about  the  nature  of  the  threat  to  which  they’re  being  asked  to 
respond— does  it  come  from  a  credible  source,  and  what  is  the  time 
frame?— so  that  they  can  put  the  best  action  plan  in  place.  “A  lot  of 
times  you  get  information  from  the  government  right  after  it’s  been 
on  CNN,”  he  says. 

To  deal  with  the  many  homeland  security  issues  that  affect  the  pri¬ 
vate  sector,  some  CSOs  agree  wdth  Mattice  that  a  domestic  security) 
advisory  council,  patterned  on  the  OSAC  model,  would  be  an  ideal 
way  for  CSOs  to  share  information  with  the  government,  and  vice 
versa.  In  April  2002,  Mattice  presented  a  white  paper  to  DHS  Sec¬ 
ret  aiy  Tom  Ridge’s  chief  of  staff  proposing  the  establishment  of  such 
a  council.  Ridge  appeared  to  embrace  the  idea  of  an  OSAC-like  entity 
and  assigned  his  chief  policy  person  to  work  with  a  small  private- 
sector  group  organized  by  Mattice.  (Among  its  members,  according 
to  Mattice,  the  group  included  a  former  assistant  secretary  of  state 
for  diplomatic  security  and  a  former  CIA  deputy  director  of  opera¬ 
tions.)  In  December  2002,  Ridge  spoke  at  the  OSAC  annual  meet¬ 
ing  and  expressed  his  intention  to  duplicate  that  group  within  DHS. 


But  that  council  remains  an  idea  on  paper  only,  and  Mattice  is  per¬ 
plexed  by  the  new  organization’s  failure  to  form  what  he  views  as  an 
absolute  necessity.  His  frustration  is  evident:  “I’m  also  perplexed  by 
(the  government’s  apparent  willingness  to  ignore  input  from  the  very 
people  who  understand  the  environment  the  best,  because  we  work 
it  every  single  day.”  Mattice  has  spent  nearly  28  years  in  the  security 
business  and  wants  to  contribute  some  experience  to  a  fledgling, 
cobbled-together  government  entity  that  needs  all  the  help  it  can  get. 
In  the  aggregate,  he  says,  private-sector  security  professionals  “out¬ 
number  government  folks  by  3-to-l.”  What’s  needed,  he  says,  is  “an 
open  flow  [of  information]  and  communication.  We  can’t  have  this 
‘We’re  going  to  shove  it  down  your  throats’  approach.  This  needs  to 
be  done  on  a  collaborative  basis.” 

Kevin  Lampeter,  senior  vice  president  and  director  of  corporate 
security  for  financial  giant  State  Street  Corp.,  agrees  there’s  room  to 
improve  interactions  between  DHS  and  private-sector  security  execs. 
Among  other  things,  he  mentions  the  sharing  of  joint  resources,  bet- 
iter  coordination  in  planning  and  testing  emergency-response  and 
risk-mitigation  programs,  and  more  detailed  threat  information 
when  the  level  bumps  up  a  color.  Still,  like  many  of  his  peers,  Lam¬ 
peter  recognizes  that  DHS  will  experience  growing  pains  for  a  while. 
“It  will  take  time  for  them  to  organize  themselves  and  obtain  the 
appropriate  resources  and  focus  on  building  relationships,”  he  says.; 
“They’re  in  an  early  evolutionary  state.” 

Don’t  Tread  on  Us _ 


FEW  ISSUES  RAISE  THE  HACKLES  OF  SECURITY  EXECUTIVES 

(and  others  in  their  enterprises)  more  than  regulation.  On  the  one 
hand,  CSOs  generally  favor  industry  self-regulation  and  voluntary 
compliance  over  requirements  laid  down  by  the  feds.  Many  don’t 
believe  that  bureaucrats  in  Washington  have  enough  knowledge  of 
their  industries  to  make  informed  decisions,  and  they  chafe  at  the 
extra  costs  that  come  with  compliance.  And  when  there  are  regula¬ 
tory  sticks,  they  want  the  government  to  complement  them  with 
some  carrots— incentives  for  compliance. 

American  Electric  Power’s  Assante  points  to  the  International 
Organization  for  Standardization  (ISO)  standards  framework  as  a 
voluntary  compliance  model  that  works.  With  ISO,  he  notes,  CSOs 
can  apply  the  model  in  a  way  that  best  fits  their  organizations. 
Assante  argues  that  specific  regulations  from  Washington  often 
require  him  to  take  scarce  security  resources  and  brainpower  away 


Fearless  Predictions:  Unity 

££  A  11°W  nonpartisan  commingling  of  Homeland  Security 

8Z\  and  congressional,  senate,  assembly  and  legislature 
XA.  staffers  to  openly  discuss  and  make  recommendations 
for  opportunities  to  continually  succeed.” 

:  1  )  t;  . 

iJ '  -‘SAMANTHA  THOMAS,  CISO,  CALIFORNIA  STATE  TEACHERS’ 
RETIREMENT  SYSTEM 


38  www.csoonline.com  December  2003 


from  protecting  the  company  the  way  he  best 
sees  fit  and  instead  puts  them  to  work  on  what 
he  calls  “compliance  exercises.” 

Of  course,  many  would  argue  that,  because 
many  standards  are  voluntary,  some  compa¬ 
nies  will  inevitably  fail  to  implement  proper 
security  measures.  After  all,  why  spend  the 
money  when  there’s  no  fear  of  consequences? 
“It’s  a  tough  problem,”  says  Assante.  “I’m  not 
going  to  tell  you  that  every  utility  is  develop¬ 
ing  an  infrastructure  protection  program  [as 
robust  as  the  one]  we  are.” 


Talk  Is  Cheap. 

Security  Is  Expensive 

MONEY  TALKS.  INDEED,  THE  RISING  COSTS 

bf  security  in  the  private  sector,  especially  at 
a  time  when  companies  continue  to  pare 
spending,  are  all  too  familiar  to  budget- 
beleaguered  CSOs.  Whether  it’s  homeland 
security,  the  Health  Insurance  Portability  and 
Accountability  Act  (HIPAA)  or  Sarbanes- 
Oxley,  many  companies  have  had  to  devote 
more  and  more  resources  to  complying  with  the  recent  spate  of  gov-| 
ernment  regs. 

That  doesn’t  mean  security  executives  think  that  money  is  going 
to  waste,  however.  Bonnie  Michelman,  the  director  of  police,  secu¬ 
rity  and  outside  services  at  Massachusetts  General  Hospital,  says 
that  recent  regulations  have  made  her  job  easier  in  many  ways. 
Broadly  speaking,  she  says,  Sarbanes-Oxley,  the  Patriot  Act,  and 
HIPAA  have  increased  security  awareness  and  education  of  employ¬ 
ees,  making  them  more  willing  to  focus  on  security  efforts  and 
cooperate  with  security  departments.  However,  she  would  also  like 
to  see  federal  grants  to  help  cash-strapped  nonprofit  hospitals  make 
ends  meet. 

Assante,  too,  would  like  to  see  a  grant  program  implemented  to 
help  pay  security-related  costs.  Industries  wrestle  with  the  question 
of  where  the  line  should  be  drawn  between  a  normal  cost  of  doing 
business  and  an  exceptional  burden  caused  by  security  threats.  Amer¬ 
ican  Electric  Power,  says  Assante,  is  a  regulated  entity.  “Our  price  is 
defined  for  us.”  Consequently,  the  utility  can’t  pass  along  those  added 
security  costs  to  ratepayers.  “Our  cost  basis  increases,”  he  says,  “which 
[amounts  to]  asking  our  shareholders  to  take  on  an  unfair  burden  to 
protect  the  nation’s  critical  infrastructure.”  Assante,  however,  believes 
there  is  a  willingness  in  the  executive  and  legislative  branches  to 
develop  a  grant  program  to  offset  some  of  these  costs. 

There  are  other  cost-recovery  mechanisms  that  could  work.  Gill- 
ham  likes  the  idea  of  tax  exemptions,  which  he  says  would  help 
defray  the  bundle  of  money  ConocoPhillips  is  spending  on  enhanced 
security,  in  his  words,  “to  help  the  U.S.  economy.”  For  example,  he 
says,  “We’re  spending  $5  million  on  one  of  our  14  refineries  to 


Fearless  Predictions: 

Liability 


«T'  ’m  not  saying 
that  software 
A  manufacturers 
deserve  100  percent  of 
the  liability  for  losses 
from  cyberattacks.  But 
it’s  just  as  ludicrous  to 
say  that  they  deserve 
none.  Somewhere  in  the 
middle  there’s  a  correct 
amount,  and  I’d  like  the 
courts  to  figure  it  out.” 


-BRUCE  SCHNEIER, 
FOUNDER  AND  CTO 
OF  COUNTERPANE 
INTERNET  SECURITY 


BECAUSE  OF  INCONSISTENCIES  IN  THE  WAY 

background  checks  are  done,  employers  may 
play  unwitting  host  to  blue-uniformed  security 
personnel  with  shady  pasts  and  uncertain 
intentions.  John  Pontrelli,  formerly  the  direc¬ 
tor  of  security  at  W.L.  Gore,  the  manufacturer 
of  Gore-Tex  fabrics,  cites  development  of  a 
uniform  credentials  program  as  the  top  way 
that  government  could  help  the  private  sector. 
Such  a  program  would  include  speedier  and 
more  thorough  background  checks.  Pontrelli 
notes  that  in  the  state  of  Maryland,  for  exam¬ 
ple,  a  check  can  take  six  months  and  not  even 
be  a  full  National  Crime  Information  Center 
(NCIC)  database  check.  In  Delaware,  by  con¬ 
trast,  he  notes  that  all  applicants  must  be  fin¬ 
gerprinted,  the  prints  run  through  the  NCIC 
bnd  the  results  returned  the  same  day.  “There  are  a  lot  of  private- 
security  officers  out  there  guarding  our  nuclear  facilities.  What  if  one 
is  guarding,  but  his  background  check  hasn’t  come  in  because  six 
months  isn’t  up  yet?”  asks  Pontrelli. 

Michelman  would  also  like  to  see  more  consistent  and  sophisti¬ 
cated  standards  for  earning  credentials.  She,  too,  takes  issue  with 
background  check  laws.  Currently,  she  says,  she  can  get  information 
on  applicants  for  positions  at  Mass  General  Hospital  from  Massa¬ 
chusetts  databases  only  and  not  from  those  in  other  states.  “A  large 
majority  of  the  criminal  population  moves  around,”  she  says.  She’s 
especially  concerned  because  she  works  in  a  large  hospital,  where 
employees  have  access  to  patients,  narcotics  and  children.  “Not  to  get 
at  that  [out-of-state]  information  really  creates  a  risk  for  us,” 
Michelman  says. 

All  in  all,  it’s  safe  to  say  that  the  relationship  between  CSOs  and 
Washington  is  a  mixed  bag,  with  plenty  of  room  for  improvement. 
How,  when  or  whether  security  execs  can  make  their  voices  heard 
more  loudly  in  the  coming  year  is  anybody’s  guess.  In  the  mean¬ 
time,  they’ll  continue  their  quest  for  just  a  little  more  peace,  love  and 
understanding  from  the  folks  in  the  nation’s  capital. 


Send  feedback  to  Senior  Editor  Todd  Datz  at  tdatz@cxo.com. 


Regulation  Nation 


Longtime  CSO  Bob  Hayes  is  wary  of  post-9/11  security  regulations.  Read  “Chaos  in  a 
Three-Ring  Binder"  from  the  July  2003  issue  of  CSO  to  find  out  why.  Type  the  DocID 
number  (above)  into  the  search  box  at  www.csoonline.com  to  find  the  article  online. 


enhance  security,”  adding  that  refineries  are  a 
low-margin  enterprise  for  the  company. 


Improve  Background 
Checks  for  Security 
Personnel 


PHOTO  TOP  BY  STEVE  NIEDORF 


December  2003  www.csoonline.com  39 


ADVERSARIES 


TuS  TffZtl I 


Uli 


with 


HICH  OF  THE  FOLLOWING 
incidents  poses  a  threat  to  your  com¬ 
pany’s  security? 

A.  Your  parking  lot  is  full  of  SUVs  set 
ablaze  to  protest  America’s  profligate  con¬ 
sumption  of  the  world’s  natural  resources. 

B.  Your  CEO’s  user  account  is  active  and 
accessing  the  latest  R&D  reports  for  a  new  prod¬ 
uct  at  1  a.m.  while  he’s  supposed  to  be  on  a  flight 
to  Asia. 

C.  An  enterprising  young  man  in  the  Ukraine  is 
siphoning  credit  card  numbers  off  the  Web  for  his 
employer,  a  criminal  syndicate,  which  compiles  and 
sells  them  in  bulk  to  the  highest  bidder. 

Unless  you  own  a  car  dealership  or  hold  an  executive 
position  with  Amazon.com,  you’re  probably  going  with  “B,”  right? 

All,  if  only  it  were  that  simple.  Unfortunately  for  CSOs,  each  one  of 
those  diverse  scenarios  illustrates  a  trend  that  is  a  clear,  present  and 
growing  danger  to  corporate  security.  In  spite  of  the  fact  that  security 
is  finally  getting  the  attention  and  resources  it  deserves,  the  list  of 
threats  that  CSOs  will  have  to  handle  during  the  next  few  years  con¬ 
tinues  to  expand  at  an  alarming  rate. 

And  it’s  no  longer  just  the  antisocial  basement-dwelling  hacker, 
cracker  or  script  kiddie  behind  such  attacks.  The  collection  of  ne’er-do- 
wells  with  an  interest  in  undermining  your  corporate  security  has 
metastasized  during  the  past  few  years  into  a  multifarious  cast  of 
characters:  industrial  and  state-sponsored  spies,  cyberterrorists,  ecoter- 
rorists  and  international  mafiosi,  just  to  name  a  few. 

But  does  it  really  matter  who’s  behind  a  security  breach?  Plenty  of 


“The  entry  point  for 
cyberterrorism  is  the 
cost  of  a  PC,”  warns 
Bill  Hancock,  CSO  of 
telecommunications 
company  Cable  & 
Wireless. 


nderground 

Fears 


40  www.csoonline.com  December  2003 


WBflk 

SB  SB 


December  2003 


www.csoonline.com 


PHOTO  BY  RANDALL  SCOTT 


eTffr  Adversaries 


gee-whiz  stories  have  been  written  that  delve  into  the  culture  of  the 
Russian  mafia  or  the  potential  threat  of  cyberterrorism,  and  these 
issues  are  usually  covered  with  a  breathless  fascination  resembling 
the  bravura  of  the  bad  guys.  Sure,  they  make  for  great  stories,  but  they 
provide  little  assistance  to  CSOs  in  strengthening  their  defenses. 

“Whether  it’s  a  hacker  taking  credit  card  numbers  or  organized 
crime,  often  they’re  exploiting  the  same  vulnerabilities,”  says  Dorothy 
Denning,  professor  at  the  Department  of  Defense  Analysis  of  the 
Naval  Postgraduate  School.  “It’s  not  so  much  who  the  actor  is— it’s 
what  they’re  doing.” 

Still,  there  are  some  definite  trends  that  security  executives  should 
pay  attention  to— evolutionary  changes  occurring  within  the  under¬ 
ground.  Here’s  how  you  should  structure  your  security  defenses  to 
keep  pace. 


Convergence  Theory 


ASK  ANY  SECURITY  EXPERT  TO  FORECAST  THE  FUTURE,  AND 

after  he  finishes  the  requisite  hemming  and  hawing  over  the  impos¬ 
sibility  of  such  a  task,  he’ll  usually  profess  at  least  one  certainty:  that 
“convergence”  will  occur.  By  that,  he  means  that  criminal  groups 


will  band  together  to  attempt  larger  attacks,  and  that  those  efforts  will 
likely  include  blended  attacks  that  have  a  physical  and  cyber  com¬ 
ponent  to  them. 

The  threat  of  a  blended  attack  is  one  that  the  intelligence  com¬ 
munity  takes  very  seriously.  Harold  Hendershot,  section  chief  of  the 
computer  intrusion  section  of  the  FBI’s  cyberdivision,  characterizes 
the  prospect  of  such  an  attack  as  a  force  multiplier. 

“Imagine  if  the  9/H  attacks  had  been  coupled  with  a  denial-of- 
service  attack  on  telephones  in  Washington,  D.C.,  or  New  York,”  he 
says.  “It’s  a  force  multiplier  because  it  increases  the  perception  of 
damage.  [Terrorists]  can  inflict  a  lot  of  physical  damage,  but  if  the 
government  is  suddenly  silent  or  slow  to  respond,  it  creates  psycho¬ 
logical  damage.” 

Most  experts  agree  that  while  terrorism  groups  have  indicated  an 
interest  in  using  IT  attacks  to  undermine  critical  infrastructure  (and 
are  using  the  Internet  extensively  as  a  communication  medium  by 
burying  messages  in  spam),  they  haven’t  matched  up  the  intent  with 
the  capability  yet.  But  it’s  likely  not  too  far  away. 

“These  are  educated,  smart,  well-funded  and  reasonably  motivated 
individuals,  and  there’s  a  lot  they  can  do,”  says  Bill  Hancock,  CSO  of 


In  his  career,  Frank 
Abagnale  has  been  an 
airline  pilot,  a  college 
,  professor,  a  lawyer  and 

a  pewwlrician— and  that  was  before  his  21st  birth¬ 
day.  In  his  youth,  Abagnale  was  a  master  forger  and 
imposter,  cashing  about  $2.5  million  in  forged 
checks  to  finance  his  jet-setting  lifestyle.  When  he 
was  finally  apprehended,  he  spent  a  total  of  five 
years  in  French,  Swedish  and  U.S.  prisons  after 
which  he  cowrote  a  book  based  on  his  adventures 
called  Catch  Me  If  You  Can,  prompting  the  Steven 
Spielberg  movie  of  the  same  name.  Today,  Abag¬ 
nale  has  parlayed  his  knowledge  of  forgery  into  a 
successful  consulting  practice.  He  is  considered  one 
of  the  world’s  foremost  authorities  on  check  fraud, 
embezzlement  and  secure  documents,  and  he  lec¬ 
tures  and  consults  extensively  for  the  FBI.  We 
recently  spoke  to  Abagnale  about  the  growing  prob¬ 
lem  of  identity  theft  and  what  CSOs  should  be  doing 
to  counter  this  rapidly  spreading  crime. 


CSO:  Identity  theft  is  often  thought  of  as  just  a 
crime  against  consumers.  Is  that  accurate? 

Frank  Abagnale:  Identity  theft  is  a  crime  against 
consumers,  businesses,  financial  institutions  and 
retailers.  In  2002,  there  were  nearly  9.9  million  vic¬ 
tims  of  identity  theft.  Banks,  credit  card  companies 
and  retailers  lost  more  than  $47  billion  that  we  can 
attribute  directly  to  identity  theft.  It's  common  for  a 
bank  or  credit  card  company  to  write  off  a  debt  and 
then  find  out  months  later  that  it  was  caused  by 
identity  theft.  Rather  than  report  it  as  fraud,  they 
simply  write  it  off  as  a  bad  debt.  Every  security 


42  www.csoonline.com  December  2003 


Fearless  Predictions: 
Anarchy 

U  A  nything  that  can 
Z\  disrupt  a  countrvs 
jLIl.  economic  stability 
will  be  a  prime  target- 
such  as  transportation, 
utilities,  financial  systems 
and  food.  If 'terrorists’  can 
shake  peoples  belief  in  the 
stability  or  safety  of  their 
country,  a  resulting  effect 
with  be  the  freezing  of 
consumer  spending.” 

—KEN  WHEATLEY,  VP  OF 
CORPORATE  SECURITY, 
SONY  ELECTRONICS 


likely  to  be  more  attractive  to  terrorists  as 
a  way  to  increase  the  event’s  efficacy. 

“If  you’re  looking  at  convergence  as  the 
possibility  to  launch  a  coordinated  attack 
physically  and  virtually,  I  think  that  we’ll 
see  the  effect  of  that  fear  in  the  next  five 
years,”  says  Dario  Forte,  security  adviser  to 
the  European  Electronic  Crimes  Task 
Force.  “But  if  you  are  looking  at  this  phe¬ 
nomenon  for  a  cyberevent  like  the  Blaster 
worm  to  have  an  impact  on  physical  secu¬ 
rity,  I  think  we’ll  see  that  in  the  next  two 
years.” 

In  fact,  in  September  the  State  Depart¬ 
ment  had  to  temporarily  shut  down  its 
electronic  CLASS  system  (the  Consular 
Lookout  and  Support  System),  which 
checks  visa  applicants  for  terrorist  or  crim¬ 
inal  histories  because  of  an  infestation  of 
the  Welchia  vims.  Forte  predicts  that  those 


telecommunications  company  Cable  & 
Wireless.  “The  entry  point  for  cyberterror¬ 
ism  is  different  from  [bioterrorism]  where 
you  have  to  pay  people  to  develop  things  for 
you.  The  entry  point  for  cyberterrorism  is 
the  cost  of  a  PC.” 

Hancock  asks  his  fellow  CSOs  to  con¬ 
sider  the  panic  that  would  ensue  if  a  wide¬ 
spread  cyberattack  were  to  hit  the  financial 
community.  Millions  of  people  could  lose 
their  life’s  savings.  “What  is  money,  after 
all,  but  an  entry  in  a  database?”  he  says. 

Of  course,  “bombs  have  a  better  byline” 
than  a  computer  attack,  notes  Hendershot 
grimly,  but  high-concept  attacks  such  as 
walking  into  a  stadium  event  with  a  bomb 
is  getting  harder  to  pull  off.  The  prospect 
of  tying  a  lower-grade  kinetic  event  with  a 
cyber  component  that  might  delay  first- 
responders  or  cause  additional  chaos  is 


executive  should  be  concerned  about  protecting 
the  identity  of  his  customers,  clients,  members 
and  employees.  Everyone  is  in  an  uproar  about 
the  $87  billion  [as  the  cost  to  rebuild]  Iraq.  Con¬ 
sider  this:  White-collar  crime  in  America  is  now  at 
$600  billion  annually,  almost  twice  the  budget  of 
the  entire  Defense  Department.  These  are  real 
losses  in  income  and  tax  revenue  that  ultimately 
come  out  of  consumers’  pockets  in  the  form  of 
increases  in  fees,  goods  and  services.  The  $87 
billion  is  a  deficit  against  the  budget.  The  $600 
billion  comes  directly  out  of  the  pocket  of  every 
man,  woman  and  child  in  America.  I  think  it's 
time  we  get  concerned  about  white-collar  crime. 

What  can  security  executives  do  to  prevent 
their  customers  from  being  victimized?  What 
precautions  should  they  institute  internally? 

When  we  ask  an  embezzler  how  he  accessed  the 
company’s  e-mail  or  building,  the  most  common 
answer  is,  “I  was  let  go  six  months  ago,  but  they 
never  removed  my  privileges.” 

One  of  the  biggest  problems  we  have  today  is 
the  failure  of  companies  to  recognize  the  neces¬ 
sity  for  identity  management.  Why  is  it  that  a 
teller,  who  is  working  part  time  at  a  bank,  has 
access  to  the  balance  of  my  account,  my  $ocial 
$ecurity  number,  date  of  birth,  private  banking 
information,  employer's  name,  my  position  at  my 
company  and  information  about  my  family?  Why 
is  it  that  a  volunteer  working  at  a  hospital  has 
access  to  my  medical  records?  Why  wouldn’t 
every  company  and  institution  have  a  program  in 
place  to  control  access  to  information  so  that 


software  would  not  allow  certain  levels  of 
employees  to  be  able  to  access  this  information? 
What  if  tomorrow,  XYZ  Co.  were  to  lay  off  20,000 
employees?  It  would  take  an  average  of  nine 
months  to  remove  the  employees’  e-mail  privi¬ 
leges,  pass  privileges,  phone  privileges,  card 
entry-access  privileges  and  credit  card  privileges. 
Software  exists  that  allows  the  company  in  a  mat¬ 
ter  of  seconds  to  delete  those  20,000  employees' 
privileges  and  in  seconds  restore  them. 

The  Internet  has  clearly  taken  identity  theft  to  a 
new  level.  What  kinds  of  crimes  are  possible 
now  that  you  wouldn’t  have  been  able  to  pull  off 
when  you  were  practicing  fraud? 

Today,  anyone  can  go  on  the  Internet  and  find  out 
22  pieces  of  information  about  any  individual 
with  no  more  than  their  name  and  address.  I  can 
even  tell  you  who  lives  in  your  house  that  is  not 
related  to  you,  who  lives  next  door  or  across  the 
street  from  you.  We’ve  allowed  so  much  private 
information  about  us  to  be  placed  in  public  files 
and  on  the  Internet  that  anyone  can  compile  your 
profile  in  minutes.  What  I  did  35  years  ago  is  now 
2,000  times  easier. 

What’s  the  next  step  on  the  continuum?  What 
crimes  will  plague  us  five  years  from  now  as  a 
result  of  the  increased  availability  of  personally 
identifiable  information  and  technology? 

Five  years  from  now,  we  can  expect  more  of  the 
same.  Technology  breeds  crime;  it  always  has 
and  it  always  will.  Crimes  will  get  faster,  harder 
to  detect.  They  will  be  faceless  and  committed 


from  thousands  of  miles  away.  We  will  constantly 
need  to  develop  technology  to  fight  technology 
that  is  being  misused  by  criminals. 

What  do  you  think  the  Department  of  Homeland 
Security  needs  to  do  to  prevent  identity  theft 
and  falsification  by  potential  terrorists? 

In  my  opinion,  the  Department  of  Homeland 
Security  and  the  Transportation  Security  Admin¬ 
istration  need  to  start  profiling.  That  may  not  be 
politically  correct,  but  it  is  correct.  The  time  and 
energy  spent  searching  5-year-olds  or  80-year- 
olds  is  ridiculous  when  we  know  what  type  of 
person  we're  looking  for. 

If  the  country  were  to  institute  a  national  ID, 
what  kinds  of  security  measures  would  it 
include  to  be  more  effective  than  the  IDs  that 
college  kids  have  been  reproducing  for  years? 

I  don’t  think  we’ll  ever  have  a  national  ID  pro¬ 
gram.  We’ve  talked  about  it  for  more  than 
30  years.  Privacy  is  very  important  to  Americans, 
and  it  should  be.  I  strongly  believe  in  the  technol¬ 
ogy  to  make  a  document  almost  impossible  to 
counterfeit.  However,  nothing  is  impossible  to 
re-create  if  someone  has  created  it.  I  tell  my 
clients  that  if  you  believe  you  have  a  foolproof 
system,  you  have  failed  to  take  into  consideration 
the  creativity  of  fools.  That  said,  there  are  some 
wonderful  technologies  from  many  companies 
that  can  be  put  into  documents,  both  plastic  and 
paper,  to  make  them  extremely  secure.  They  can 
be  costly,  but  if  you  are  going  to  do  it,  you  have  to 
do  it  the  only  way. ..the  right  way.  -Daintry  Duffy 


PHOTO  LEFT  BY  C0RB1S:  TOP  BY  ROBERT  BURROUGHS 


December  2003  www.csoonline.com  43 


Adversaries 


kinds  of  incidents  are  only  going  to  increase  in  frequency. 

For  CSOs,  the  pressure  is  on  to  knit  the  physical  and  cybersecu¬ 
rity  departments  closer  together,  if  not  merge  them  entirely.  “Going 
forward,  the  modern  and  forward-thinking  company  will  need  to 
demand  a  holistic  approach  to  risk  management.  That  means  com¬ 
bining  [physical  and  IT  security]  to  work  together  for  common 
results,”  says  Hancock.  “The  truly  “bad  boys’  of  the  terrorist  world  do 
not  differentiate  between  methods  to  terrorize  a  specific  target,”  he 
notes.  “Whatever  works  best  and  quickly  is  always  preferred.” 

Hancock  is  quick  to  add  that,  if  the  opposition  is  going  to  use 
multiple  methods  and  blended  methods  to  debilitate  a  company, 
the  company  being  attacked  can’t  think  in  “old  ways”  to  deal  with  a 
modern  threat. 

Perpetrators  are  indicating  a  willingness  to  pool  their  resources 
and  pull  off  ever  larger  exploits.  Hackers  are  countering  increased 
network  resistance  to  old-style  attacks  by  working  in  gangs— 
harnessing  their  collective  brain  and  computing  power.  And  even 
crime  syndicates  have  developed  a  very  sophisticated  set  of  technol¬ 
ogy  skills. 

The  worry  is  that  those  skills  might  be  hired  out  to  a  terrorist 
organization,  providing  an  out-of-the-box  cyberterrorist  capability, 
notes  Matthew  Devost,  a  founding  director  of  the  Terrorism  Research 
Center.  “They  have  their  own  laptops  and  accounting  systems  and 
command-and-control  networks,  and  everything  that  a  billion-dollar 
multinational  would  have,”  he  says. 

Groups  that  are  interested  in  pulling  off  purely  physical  attacks  are 
also  combining  forces  with  like-minded  individuals.  The  ALF  (Ani¬ 
mal  Liberation  Front)  and  the  ELF  (Earth  Liberation  Front)  have 
long  been  on  the  list  of  the  FBI’s  top  domestic  terrorism  concerns,  but 
recently  a  splinter  group  called  the  Revolutionary  Cells  has  formed, 
creating  a  front  group  for  militants  across  the  so-called  liberationary 
movement  spectrum.  The  group  characterizes  its  membership  as 
“anarchists,  communists,  antiracists,  animal  liberationists,  earth  lib- 
erationists,  Luddites  and  feminists,”  among  other  things,  and  their 
tactics  are  brutal.  The  group  recently  claimed  responsibility  for 
bombings  outside  the  California  offices  of  Chiron,  a  company  that  has 
had  business  dealings  with  Huntingdon  Life  Sciences— a  longtime 
target  of  animal-rights  activists. 


Security  Gets  Personal 


IN  THE  COMING  YEARS,  FACILITY  SECURITY  AND  I.T.  SECURITY 

may  be  joined  by  a  third  and  equally  important  area  of  security  prac¬ 
tice-personal  security.  This  issue  was  once  only  a  concern  for  celebri¬ 
ties,  high-profile  executives  and  dignitaries,  but  it’s  starting  to  go 
mainstream  as  citizens  and  employees  are  targeted  for  an  employer’s 
perceived  transgressions— and  sometimes  for  no  reason  at  all. 

Groups  such  as  ALF,  ELF  and  SHAC  (Stop  Huntingdon  Animal 
Cruelty)  used  to  target  mostly  pharmaceutical  companies,  fur  farms 
or  logging  companies  in  the  Pacific  Northwest,  and  it  was  fairly  easy 
to  predict  whether  your  company  might  be  a  target  of  their  activ¬ 
ities.  But  recently  the  groups  have  taken  to  targeting  the  secondary 


business  partners  as  an  effective 
strategy  in  undermining  the  pri¬ 
mary  business  target. 

For  instance,  Shaklee  Corp.,  a 
personal  and  home  care  prod¬ 
uct  and  nutrition  supplement 
company,  is  a  subsidiary  of  a 
pharmaceutical  company  that 
animal  rights  groups  want  to 
target.  Individuals  who  have  a 
secondary  relationship  to  such 
companies  have  also  been  tar¬ 
geted.  In  one  instance,  members  of  SHAC  posted  personal  informa¬ 
tion  online  for  a  stockbroker  for  Huntingdon  Life  Sciences.  When  that 
had  no  effect,  they  posted  the  personal  information  of  his  neighbors. 

Such  threats  will  also  carry  over  to  employees  as  they  travel  over¬ 
seas.  “Today’s  modern  executive  needs  good  physical  protection 
measures  and  proper  intelligence  so  they  know  what  to  avoid  when 
(traveling,”  says  Hancock. 


Going  forward,  the  modem  and 
forward-thinking  company  will  need 
to  demand  a  holistic  approach  to 
risk  management.  That  means 
combining  physical  and  IT  security 
to  work  together  for  common 
results.”  -Bill  Hancock,  CSO  for 
(Gable  &  Wireless 

Several  high-profile  executives  have  had  ransom  demands  deliv¬ 
ered  and  negotiated  via  cyberspace  when  a  family  member  was  kid 
napped,  and  their  personal  information  has  been  stolen  for  identity 
theft  (see  “Q&A:  Frank  Abagnale,”  Page  42).  Hancock  notes  that  the 
home  computers  of  executives  will  continue  to  be  targeted  for  “har 
vesting”  by  competitors,  and  CSOs  will  have  to  ensure  that  their 
departments  work  closely  with  every  employee  who  has  access  to  sen 

I 

sitive  information  so  that  they  can  secure  their  computing  environ¬ 
ments  no  matter  where  they  work. 

Keep  Friends  Close 


SUN  TZU  MIGHT  RETHINK  HIS  PHILOSOPHY  OF  KEEPING  FRIENDS 

close  and  enemies  closer  if  he  were  contemplating  the  security  chal¬ 
lenges  of  a  Fortune  500  company.  One  of  the  threats  that  CSOs 
face— particularly  those  working  in  the  critical  infrastructure— is 
the  possibility  of  employing  a  hacker,  corporate  spy  or  other  indi¬ 
vidual  who  wants  to  gain  a  trusted  position  within  a  corporate  net¬ 
work  for  nefarious  reasons.  “Hiring  practices  and  background  checks 


44  www.csoonline.com  December  2003 


PHOTO  BY  EO  CALDWELL 


Fearless  Predictions:  Vulnerabilities 

a  T  T  oward  Schmidt  predicted  zero-day  exploits  a 
I — I  couple  of}  ears  ago  and  was  accused  of  being 
A  A  alarmist.  The  relevant  word  is  actually 
‘prescient.’  It  is  absolutely  frightening  as  a  vendor— and  as 
a  customer— to  realize  that  systems  can  get  whacked 
(technical  term)  out  of  the  blue  by  a  vulnerability  nobody 
knew  was  there.” 

-MAllY  ANN  DAVIDSON,  CSC),  ORACLE 


haven’t  kept  pace  with  threats,”  notes  the  Terrorism  Research  Cen¬ 
ter’s  Devost,  “and  there’s  increasing  concern  that  it  might  be  easy  to 
get  someone  hired  into  a  legitimate  position  and  have  them  collocate 
with  a  target  inside  the  firewall  to  engage  an  attack.” 

Fueling  the  espionage  aspect  of  that  problem  is  a  tight  economy; 
people  are  looking  for  illegitimate  ways  to  use  their  skills  and  earn 
more  money,  and  corporations  are  desperate  to  find  any  way  to  gain 
a  competitive  edge.  Most  of  the  time,  a  skilled  corporate  spy  can  get 
in  and  out  of  a  network  without  anyone  ever  knowing  he  was  there. 
“You  can  spend  a  lot  of  money  to  protect  against  the  attack  from  the 
outside,  but  once  you  bring  somebody  into  camp,  the  threat  goes  way 
up  because  the  greatest  damage  comes  from  an  inside  threat,”  says 
the  FBI’s  Hendershot. 

Not  only  should  companies  review  their  background  check  and  hir¬ 
ing  procedures,  but  they  should  also  review  who  has  access  to  which 
systems  and  documents.  “Determine  where  you  will  draw  that  line  of 
trust,”  Hendershot  suggests.  “Should  a  person  in  sales  be  reviewing 
R&D  documents?  Should  a  person  in  finance  be  looking  at  our  mar¬ 
keting  theory?  CSOs  turn  on  intrusion  detection  for  the  outside,  but 
what’s  going  on  inside,  and  does  it  make  sense?” 

Forte  notes  that  the  “gray  hat”  phenomenon  is  also  still  on  the  rise, 
and  he  cautions  CSOs  to  not  only  examine  who  their  employees  are 
but  their  contractors  as  well.  In  August  2002, 14  Italian  hackers— 
almost  all  of  whom  were  security  professionals  by  day— were  arrested 
and  charged  with  hacking  the  networks  of  NASA,  the  U.S.  Army  and 
Navy,  and  various  universities  around  the  world. 

Which  One  of  These  Things 
Is  Not  Like  the  Others? 

ANOTHER  BUZZ  PHRASE  THAT  SECURITY  EXPERTS  FREQUENTLY 

bandy  about  in  discussions  of  future  security  threats  is  the  importance 
of  “anomaly  detection”— noticing  that  the  CEO’s  account  is  active 
even  though  he’s  on  an  airplane,  and  recognizing  when  changes 
occur  in  the  network  that  portend  a  potential  threat  or  vulnerability. 
Security  organizations  will  have  to  become  even  faster  and  more 
nimble.  They  will  have  to  notice  anomalies  and  institute  fixes  much 
faster. 

Forte  notes  that  the  trend  in  viruses  and  worms  is  moving  ever 
closer  to  “zero  day”  attacks— any  attack  in  which  there  is  less  than 
24  hours  between  the  announcement  of  a  vulnerability  and  its  exploit. 


“Hackers  are  increasing  their  research 
activity  and  trying  to  share  secrets  without 
releasing  them  to  the  public,”  he  says.  “I 
strongly  believe  that  the  time  for  [a  virus 
to]  spread  will  be  reduced  to  a  few  minutes 
in  the  next  couple  years,  and  security 
managers  will  have  to  take  care  of  their 
reaction  time.” 

And,  of  course,  there’s  always  the  unpre¬ 
dictable  variable  of  luck.  Script  kiddies  still 

_  account  for  60  percent  to  70  percent  of 

denial-of-service  and  distributed  denial- 
of-service  attacks.  Most  of  the  time  they  download  tools,  but  they 
don’t  really  understand  what  they’re  doing.  But  one  of  these  days— 
whether  it’s  intentional  or  not— one  of  these  kids  is  going  to  get 
lucky  and  will  have  a  major  impact  on  the  critical  infrastructure  or 
some  other  important  system. 

Still  About  the  Basics 

IT  WOULD  BE  GREAT  TO  IMAGINE  A  FUTURE  IN  WHICH  SECURITY 

transcends  the  petty  issues  of  patching  and  policy  enforcement,  but 
that  doesn’t  seem  to  be  in  the  cards  for  CSOs. 

A  majority  of  threats  that  are  likely  to  plague  security  executives 
in  the  years  to  come  will  derive  from  a  continued  failure  to  adhere  to 
basic  best  practices.  Companies  will  keep  trying  to  save  money  by  con¬ 
necting  networks  and  leveraging  a  shared  infrastructure,  but  these 
networks  that  were  previously  closed  and  isolated  from  the  dangers 
of  the  Web  will  now  be  internetworked  with  potentially  disastrous 
results.  These  closed  networks  are  laid  bare  to  a  multitude  of  secu¬ 
rity  threats  that  they  are  poorly  equipped  to  withstand.  Nuclear 
reactors,  electrical  substations  and  oil  refineries  all  are  run  by  process 
networks. 

Hancock,  for  one,  fears  that  as  more  of  these  networks  are  inter¬ 
connected  to  save  money,  disastrous  repercussions  will  ensue. 

“Think  about  the  basics  of  safe  computing  and  the  spread  of 
viruses,”  advises  Hendershot.  “Sobig,  Cornucopia,  Code  Red  have 
taken  known  exploits  to  propagate  themselves.  Security  people  have 
to  make  sure  that  when  new  technologies  come  out,  they  are  famil¬ 
iar  with  the  vulnerabilities.  What  door  are  you  opening?” 

The  future  holds  unknown  challenges  in  store  for  the  CSO— every 
one’s  crystal  ball  seems  to  agree  on  that  much.  But  the  biggest  dan¬ 
ger  that  security  executives  are  sure  to  face  is  failing  to  address  the 
vulnerabilities  that  they  already  have  today. 


Send  feedback  to  Senior  Editor  Daintry  Duffy  at  dduffy  dcxo.com. 


Road  Rules 


Protect  yourself,  and  your  employees,  while  traveling.  Read  about  travel  risk  services  in 
“Avoiding  the  Road  to  Perdition"  from  the  March  2003  issue  of  CSO.  Type  the  DocID 
number  (above)  into  the  search  box  at  www.csoonline.com  to  find  the  article  online. 


December  2003  www.csoonline.com  45 


TECHNOLOGY 

Safety 

Measures 


Forget  deus  ex  machina:  In  2004,  information  security  will  require  a 
splash  of  the  old,  a  dash  of  the  new  and  ci  healthy  close  of  brainpower  to 
pull  it  all  together  By  Christopher  Lindquist 


EWS  ALERT:  THE  PERFECT  FIREWALL  ISN’T 
going  to  ride  in  on  a  white  horse.  A  “god  box”  won’t 
magically  appear  on  your  desk  to  protect  your  network 
from  the  evil  that  lurks  a  thin  wire  away.  In  fact,  the 
coming  year  isn’t  likely  to  see  any  major  advances  in 
security  technology,  according  to  experts.  Instead,  2004 
will  be  all  about  evolutionary  improvement,  end  user 
education  and  making  the  best  use  of  the  tools  we  have. 

While  a  few  folks  still  opt  out,  most  prefer  a  vaccine 
to  tempting  a  case  of  hepatitis.  The  same  holds  true 
for  computer  systems.  Almost  universally,  security 
experts  point  to  patching  as  a  key  tool  to  keep  the  bad 
guys  at  bay.  But  they  acknowledge  that  current  patch¬ 
ing  tools  are  still  in  their  infancy  and  need  to  improve. 

Security  experts  generally  agree  that  the  bulk  of  all  attacks  take 
advantage  of  vulnerabilities  for  which  there  are  already  solutions, 
either  through  patches  or  configuration  changes.  As  such,  numerous 
companies  have  lined  up  to  create  tools  that  automatically  identify  and 
patch  operating  systems  and  applications.  But  current  tools  are  often 
less  than  subtle,  simply  patching  any  and  every  device  regardless  of 
whether  it  is  actually  prone  to  the  attack.  And  many  companies  have 
discovered  to  their  dismay  that  a  patch  designed  to  fix  a  hole  may  cre¬ 
ate  more  problems  by  bringing  down  previously  stable  systems— or 
even  introducing  new  vulnerabilities. 

That  has  led  some  companies  to  take  a  slower  approach  to  patch¬ 
ing  their  systems,  giving  their  IT  departments  time  to  run  tests  and 
make  sure  a  patch  won’t  do  more  harm  than  good.  Unfortunately,  a 
delay  of  even  a  few  days  could  spell  the  difference  between  surviving 
an  attack  and  becoming  the  next  headline. 


46  www.csoonline.com  December  2003 


Technology 


But  sometimes  the  patches  arrive  after  the  attack 
is  under  way.  And  when  the  latest  worms  can  spread 
in  moments,  even  the  most  sophisticated  patching 
tool  may  not  be  enough.  “Patching  technologies  are 
overhyped,”  says  Bruce  Schneier,  founder  and  chief 
technical  officer  at  Counterpane  Internet  Security 
and  author  of  several  security  books  (most  recently 
Beyond  Fear:  Thinking  Sensibly  About  Security  in 
an  Uncertain  World).  “They’re  not  going  to  do  much 
good  in  a  world  where  worms  spread  in  15  minutes.” 

As  such,  technologies  are  emerging  that  can  buy 
IT  departments  the  time  they  need  to  deploy 
patches  once  an  attack  commences.  “[New  tools] 
will  need  to  shut  down  services,  throw  up  rules  on 
the  firewall  and  provide  breathing  room  to  [let 
people]  start  fixing  the  problem,”  says  Stuart 
McClure,  president  and  chief  technology  officer  of 
vulnerability  product  vendor  Foundstone  and 
author  of  Hacking  Exposed:  Network  Security 
Secrets  and  Solutions.  “They’re  really  running  a 
marathon,  these  IT  and  security  guys.  They  need  a 
little  reprieve.” 

Companies  are  also  working  to  create  tools  that 
deal  with  vulnerabilities  that  have  nothing  to  do 
with  holes  in  the  underlying  code,  McClure  says, 
but  simply  in  users’  difficulty  with  properly  con¬ 
figuring  systems.  “Vulnerabilities  make  up  maybe 
half,  maybe  two-thirds  of  the  attacks,”  he  notes. 

The  rest,  he  says,  are  misconfigurations:  systems 
with  default  passwords  still  in  place,  ports  open 
unnecessarily  and  security  features  not  even  turned 
on.  Today’s  tools  don’t  really  deal  with  these  con¬ 
figuration  issues  sufficiently,  McClure  says,  though 
a  few  have  begun  to  try. 

And  then  there’s  the  other  answer— build  better 
software  in  the  first  place.  “We  invest  a  lot  at  the  end  on  the  problem 
areas,”  says  Tim  Grance,  group  manager  in  the  computer  security 
division  at  the  National  Institute  of  Standards  and  Technology 
(NIST).  “People  spend  a  lot  learning  to  patch  systems,  but  it  would 
be  better  if  we  wrote  them  better  in  the  first  place.” 

Simplify  ing  Complexity 


WHILE  SOME  TECHNOLOGIES  are  still  only 
dreams,  others  are  beginning  to  make  commercial 
advances.  Here's  a  (by-no-means  complete)  sample 
of  companies  using  new  techniques  to  help  CSOs  do 
their  jobs. 

ARCSIGHT 

www.arcsight.com 

The  company  offers  a  suite  of  tools  intended  to  let 
security  personnel  analyze  and  manage  threat  data 
through  a  consolidated  interface. 

ENTERCEPT  SECURITY  TECHNOLOGIES 
www.entercept.com 

Intrusion  prevention  product  maker  combines  sig¬ 
natures  with  "behavioral  rules"  to  detect  and  stop 
attacks.  Acquired  by  Network  Associates  in  2003. 

INTERNET  SECURITY  SYSTEMS 
www.iss.net 

ISS's  Proventia  product  line  will  be  able  to  help 
users  create  everything  from  firewalls  to  virus 
filters  to  intrusion  prevention  systems  to  as-yet- 
uninvented  tools  in  the  future. 

OKENA 

www.cisco.com 

Acquired  by  Cisco  Systems,  Okena's  products 
detect  and  block  potential  attacks  without  the  need 
for  constantly  updated  digital  signatures. 

SANA  SECURITY 
www.sanasecurity.com 

If  a  previously  “normal"  application  behaves  abnor¬ 
mally,  Sana's  Primary  Response  can  warn  adminis¬ 
trators  of  potential  problems  and  block  attacks  for 
which  patches  may  not  yet  exist. 

TEROS 

www.teros.com 

The  Teros  Secure  Application  Gateway  promises  to 
block  a  variety  of  Web-based  attacks  while  “cloak¬ 
ing”  machines  to  hide  them  from  attackers. 


“You  end  up  loading  a  device 
that  can’t  fail,”  Bletsas  says.  “You 
exercise  it  when  your  switch  melts 
after  the  next  worm  attack.  Re¬ 
member,  the  Internet  is  an  end- 
to-end  network,  which  by  design 
is  supposed  to  do  nothing  more 
than  forward  packets  at  its  core. 
Every  defense  strategy  that  relies 
on  adding  more  complex  func¬ 
tions  to  the  network’s  core  is 
bound  to  fail.” 

There  are  other  security  areas 
begging  for  simplification  as  well. 
Encryption  technologies  are  com¬ 
mon  culprits,  requiring  a  complex 
infrastructure  and  laborious  user 
interaction  to  use  effectively. 
“Strong  e-mail  has  been  available, 
but  almost  no  one  uses  it  because 
it’s  too  complicated.  PKI  has 
failed  completely  because  the  user 
interface  makes  no  sense  to  most 
people.  Many  don’t  use  file  en¬ 
cryption  because  they’re  afraid 
that  they’ll  lose  the  data  if  they 
forget  the  key,”  says  Counter 
pane’s  Schneier.  “The  security 
works  great— but  it  doesn’t  get 
deployed  properly.” 

“We  need  to  hide  the  complex 
ity,”  says  Grance.  “We  want  [secu 
rity]  to  be  like  a  TV.  We  don’t 
know  exactly  how  it  works,  but 
we  know  how  to  watch  it.” 


SIMPLIFYING  SECURITY  TOOLS  MIGHT  ALSO  GO  A  LONG  WAY] 
toward  solving  the  problems  patches  fend  off  today.  “[We  need  a]  dis¬ 
tributed,  simple  approach,  built  out  of  simple  elements  that  can  be 
tested  and  proven  to  work,”  says  Michail  Bletsas,  director  of  com¬ 
puting  at  MIT’s  Media  Lab.  Bletsas  and  other  experts  also  promote 
the  idea  of  pushing  simplified  security  technology  as  close  to  end 
nodes  as  possible,  rather  than  creating  large,  complex  systems  on  the 
perimeter.  He  points  to  security  features  built  into  switches  as  an 
example  of  how  not  to  do  things. 


COMMUNICATION  AND  COOPERATION  MUST  ALSO  PLAY  A  ROLE 

going  forward.  At  the  macro  level,  organizations— from  the  govern 
ment  to  private  businesses— with  a  common  interest  in  security  need 
to  work  together  to  create  solutions.  At  the  micro  level,  security  tools 
need  to  share  their  information  more  quickly  with  other  products, 
providing  a  more  cohesive  defense  against  attack. 

A  couple  of  emerging  security  standards  may  help  that  cause  in 
2004.  Standards  group  Oasis  is  currently  working  on  the  Application 
Vulnerability  Description  Language  (AVDL)  and  the  Web  Application 
Security  (WAS)  standard.  Both  promise  to  allow  for  easier  communi¬ 
cation  among  security  devices.  When  finished,  AVDL  will  let  different 
security  devices  send  and  receive  vulnerability  information  in  a  stan¬ 
dard  XML  format.  For  example,  a  vulnerability  scanner  could  send  a 
tandard  report  to  an  application  gateway  about  what  policies  to  imple- 


48  www.csoonline.com  December  2003 


ment  based  on  discovered  vulnerabilities.  WAS,  meanwhile,  looks  to 
establish  a  standard  means  of  describing  Web  security  threats— even 
those  that  may  not  yet  be  known.  A  Web  security  tool  could  detect  an 
incoming  attack,  use  WAS  to  describe  its  characteristics,  and  then 
send  that  information  to  other  tools  for  analysis  and  response. 

And  as  security  vendors  continue  to  consolidate  (Cisco  Systems 
buying  end-point  security  vendor  Okena,  and  Network  Associates 
acquiring  intrusion  prevention  company  Entercept,  for  instance)  it’s 
likely  that  various  tools  will  begin  to  work  more  in  concert— even  if 
only  along  a  particular  product  line. 


tion  sets,”  to  get  a  feel  for  how  they  work,  he  says.  “  You  have  to  learn 
with  it.” 


Seeking  Immunity 


IMPROVED  COMMUNICATIONS  BETWEEN  SECURITY  COMPONENTS 

is  only  the  next  step  toward  a  sort  of  immune  system  for  infosec.  “I 
think  businesses  could  build  an  autoimmune  system  in  the  network,” 
says  Peter  Cochrane,  cofounder  and  chief  technologist  at  technology 
consultancy  and  incubator  ConceptLabs.  Others  agree. 

“[We  need]  distributed  network  attack  detection  and  mitigation 
technologies  that  will  rely  on  a  dynamically  updated  view  of  the  net¬ 
work’s  ‘health’  and  block  malicious  traffic  as  close  to  its  source  as  pos¬ 
sible,”  says  MIT’s  Bletsas.  Some  such  tools  are  already  beginning  to 
appear  on  the  market  (see  “Tools  for  the  New  Era,”  Page  48),  but  they 
are  far  from  mature  technology. 

Still,  says  Sunil  Misra,  chief  security  adviser  at  Unisys,  companies 
shouldn’t  shy  away  from  such  emerging  technologies.  Instead,  they 
should  put  them  into  trial  and  “fine-tune  them  for  certain  applica¬ 


Tlie  People  Problem 


SECURITY  ADMINISTRATORS  AREN’T  THE  ONLY  ONES  WITH 

things  to  learn,  however.  Training  the  people  who  use  technology 
every  day  will  be  key  to  ameliorating  the  problems  of  the  past  few 
years.  “We  rely  on  technology  too  much— that’s  one  way  we  make  the 
problem  worse,”  says  Schneier.  “We  need  implementers.  We  need 
installers.  We  need  maintainers.  We  need  experts— people  who  know 
computer  and  network  security  and  can  react  to  whatever  new  thing 
is  making  us  miserable  this  week.”  But  creating  those  experts  is 
going  to  take  time— and  the  help  of  academia.  “Security  is  certainly 
a  more  popular  topic  on  campuses  today,”  says  NIST’s  Grance,  “but 
we’re  just  beginning  to  have  leading  figures  in  security.” 

Beyond  training  tomorrow’s  leaders,  CSOs  need  to  worry  about 
training  today’s  users— even  in  the  most  basic  issues.  “We  need  a  way 
to  keep  people  from  double-clicking  on  every  e-mail  attachment 
that  they  get,”  says  William  Orvis,  senior  security  specialist  for  the 
Department  of  Energy’s  Computer  Incident  Advisory  Capability, 
noting  that  that  has  been  a  primary  source  of  worm  distribution. 

Wireless  security  is  another  area  where  users  need  significant  train¬ 
ing.  “I  saw  five  laptops  with  Wi-Fi  signals  on  an  airplane,”  says 
Cochrane.  “Three  had  WEP  [wired  equivalent  privacy]  turned  off,  and 
I  could  see  their  hard  drives.  These  are  people  with  IT  departments, 
but  they’re  not  training  their  executives  in  use  of  Wi-Fi.” 


Security 


Technology  Time  Line 


1 1 


Wooden  mechanical 
locks  used  in  Egypt. 


f\y 


First  all-metal  locks 
appear  in  England. 


Alfred  Hobbs  picks 
Bramah’s  lock  in 
44  hours.  Panic 
spreads  among 
bankers  and  mer¬ 
chants  dependent 
on  Bramah's  and 
similar  locks. 


2000  B.C.  333B.C.  870 


1790 


1851 


1856 


1904 


1940s 


Digital  uses 
ARPAnet  to  send 
what  may  be  the 
first  spam  message,  audiences. 


WarGames,  starring 
Matthew  Broderick, 
becomes  a  hit. 
Computer  hacking 
goes  mainstream 
for  the  first  time 
with  noncomputer 


Morris  worm  causes 
$98M  in  damage  to 
computer  systems 
worldwide. 


Russian  hacker 
steals  thousands  of 
credit  card  numbers 
from  CD  Universe’s 
website. 


1978 


1981 


1983 


1986 


1988 


1990 


2000 


2001 


Klez,  Sobig,  Blaster 
and  no  end  in  sight. 

2002-present 


Code  Red  worm 
infects  more  than 
350,000  computers 
in  24  hours. 


PHOTO  LEFT  BY  C0RBIS:  TOP  LEFT  BY  GETTYONE:  TOP  RIGHT  BY  C0RBIS;  RIGHT  BY  AP/WIDE  WORLD  PHOTOS 


December  2003  www.csoonline.com  49 


Technology 


flB  Professor  Eugene  Spaf- 
M'-  wk  fljjg  ford  knows  a  bit  about 

fil  MM  security.  And  he  thinks 

^  at  we're  going  about  it  all 
wr^fl^ounder  and  executive  director  of  Purdue 
University's  Center  for  Education  and  Research  in 
Information  Assurance  and  Security,  he  was  named 
to  the  President's  Information  Technology  Advisory 
Committee  in  2003  and  has  worked  on  many  secu¬ 
rity  books  and  articles. 

CSO  recently  talked  with  Spafford  about  technol¬ 
ogy,  complexity  and  the  shape  of  security  to  come. 


i  CSO:  Do  we  need  to  make  wholesale 
changes  in  how  we  approach  secu¬ 
rity  technology? 

Eugene  Spafford:  We  need  to  make 
some  significant  changes— changes 
that  won’t  be  popular  with  some 
because  they’re  toward  minimalist 
systems,  like  appliances  or  much 
smaller,  tighter  systems  instead  of 
these  larger,  general-purpose,  do- 
everything  operating  systems. 

One  of  the  chief  enemies  of  good 
security  is  complexity.  Complex  sys¬ 
tems  are  difficult  to  build  and  config¬ 
ure  correctly,  and  they’re  difficult  to 
understand  and  operate.  Many  of  the 
weak  points  we  have  now  are  the 
result  of  systems  with  too  much  func¬ 
tionality  that  either  isn’t  needed  or 
can't  be  secured  properly.  Hardware 
is  cheap  enough  that  we  should  be 
able  to  afford  to  buy  an  extra  box  or 
two  and  isolate  and  contain  failures. 

The  trend  toward  all-in-one  sys¬ 
tems  came  about  decades  ago  when 
equipment  was  very  expensive,  and 
we  wanted  to  run  everything  on  the 
same  box.  We  argue  now  that  we  can  reduce  the 
training  if  we  have  only  one  type  of  system  or  we 
can  reduce  the  number  of  patches.  But  if  your  sys¬ 
tem  is  exceedingly  simple  to  operate— you  just  plug 
it  in  and  set  three  or  four  switches,  and  it  doesn't 
need  patches  because  it’s  not  so  complicated  that  it 
breaks  all  the  time— then  that  argument  has  no 
merit. 

What  else  is  critical? 

The  second  trend  is  we  have  to  start  looking  at  the 
tools  and  technologies  we  use  to  build  systems  and 


start  using  some  of  the  accumulated  knowledge 
we’ve  built  up  in  the  past  30  or  40  years  about  good 
software  engineering  practice.  Programming  in  C  or 
C++  is  not  a  particularly  good  idea  unless  you  are 
really  an  expert  and  you  have  appropriate  tools  to 
back  up  what  you're  doing  with  testing. 

There  are  a  number  of  languages  that  could  be 
developed  that  are  considerably  safer  for  running 
most  of  our  applications.  And  we  should  start  put¬ 
ting  some  energy  and  thought  into  creating  testing 
tools  and  diagnostic  tools  for  what  we  build.  Having 
thousands  of  flaws  per  year  that  need  to  be  patched 
is  ridiculous. 

Is  there  something  that  could  happen  or  needs  to 
happen  to  get  people  working  toward  these  goals? 

There  are  a  number  of  things  that  could  cause  the 
change.  One  is  certainly  there  could  be  some  terri¬ 
ble  incident  or  terrible  software  that  goes  around. 
The  places  that  don’t  get  hit  by  it  will  stand  out.  In 
fact,  that’s  happened.  We  were  never  touched 
because  we  use  Unix  and  Macintosh  systems.  But 
that  didn't  stand  out  enough. 

What  I  think  is  more  likely  to  make  a  difference  is 
insurance  companies  or  lawyers  are  going  to  get 
involved.  [Companies]  are  creating  a  monoculture 
that  is  more  susceptible  to  the  next  big  worm  or 
next  big  break-in  because  everything  is  going  to 
have  the  same  set  of  vulnerabilities.  If  I  was  a  stock¬ 
holder  in  a  firm  that  was  doing  that,  and  it  got  really 
badly  hit  by  the  next  big  virus  or  worm,  I'd  consider 
that  negligent  and  possibly  actionable.  We’ve  got 
years  of  experience  showing  us  that  these  kinds  of 
attacks  are  coming  more  and  faster,  that  bugs  are 
present.  And  here  they  are  standardizing  on  a  sys¬ 
tem  that  will  be  wiped  out  by  the  next  thing  that 
goes  through.  If  that’s  not  negligence,  then  I  don't 
know  what  is. 

-C.L. 


New  Tech ,  New  Questions 

THE  COMING  YEAR  WON’T  BE  JUST  ABOUT  REUSING  OLD  TECH- 

nology.  New  technologies  exist  that  could  resolve  a  number  of  our 
more  pressing  security  problems— everything  from  spam  to  denial- 
of-service  attacks.  But  putting  these  technologies  to  use  will  require 
careful  thought  to  balance  risks  and  rewards. 

“In  spam  mail,  right  now  it’s  possible  in  our  current  e-mail  tech¬ 
nology  to  fake  just  about  everything  in  the  message,”  says  Orvis.  But 
the  next-generation  Internet  protocol,  IPv6,  includes  mechanisms  to 
certify  where  packets  come  from  and— by  extension— where  mail  is 
coming  from,  which  will  make  it  more  difficult  for  spammers  to 
mask  their  identities.  However,  Orvis  cautions,  “things  like  [IPv6] 
involve  a  pretty  large  change  in  how  the  network  does  business.” 
Other  technologies  that  could  be  invaluable  in  theory— including 
DNSsec  and  PKI— require  similarly  large  up-front  investments. 

“A  lot  of  schemes  are  very  effective  but  can  exist  only  in  laborato¬ 


ries  because  they’re  not  cost  effective,”  says  Grance.  “Should  people 
move  to  IPv6?  Perhaps,  but  they  have  to  first  answer  questions  like, 
What  does  it  do  to  my  infrastructure?  and  How  does  it  affect  other 
security  measures?  Plus  there’s  all  the  business  questions  about  seal 
ability,  interoperability  and  effectiveness.  Technology  will  always 
solve  and  create  problems  at  the  same  time,”  he  warns.  “Virtual  pri¬ 
vate  networks  can  be  a  hole  too,  not  just  a  secure  tunnel.” 


Christopher  Lindquist  is  technology  editor  for  CIO  and  an  occasional  contributor  to  CSO 
He  can  be  reached  at  clindquist@cxo.com. 

If  You  Must  Patch,  Do  So  Properly 

The  Robert  Frances  Group  says  CSOs  can  save  time  and  money  (and  their  sanity)  by 
practicing  proper  patch  management.  Read  “Patch  Deployment  Best  Practices  in  the 
Enterprise,”  a  CS0online.com  ANALYST  REPORT.  Type  the  DocID  number  (above)  into 
the  search  box  at  www.csoonline.com  to  find  the  article  online. 


50  www.csoonline.com  December  2003 


PHOTO  BY  TOD  MARTENS 


Tivoli,  software 


See  how  much  storage  you  have. 
See  how  much  storage  you  need. 
See  it  adjust  without  doing  a  thing 


Tivoli  Storage  Management  helps  optimize  your  storage  systems.  Underutilized  space  is  automatically 
identified.  Nonessential  data  is  easily  eliminated.  It’s  an  integral,  affordable  complement  to  server 
consolidation,  and  it’s  compatible  with  most  current  storage  systems.  For  more  on  this  award-winning 
software  and  to  download  Tivoli  Storage  Resource  Manager  trial  code,  visit  ibm.com/tivoli/seeit/tsrm 

.&rnand  software 


IBM.  Tivoli,  the  e-business  logo  and  e-business  on  demand  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United 
States  and/or  other  countries.  Certain  restrictions  will  apply  to  your  use  of  this  software.  Winner,  ARC  Award.  August  2003.  Please  visit  the  Web  site  for  governing  terms 
and  conditions.  Your  results  may  differ.  ©  2003  IBM  Corporation.  All  rights  reserved. 


Jr 


In  a  government  sponsored  trial  of 
biometric  security  systems, 

LG  IrisAccess 
outperformed  every 
other  system  tested, 

proving  to  be  far  more  accurate.  Far 
faster.  And  over  1000  deployments 
confirm  it. 


LG  IrisAccess  Ins  Recognition  Systems  provide  unparalleled 
security  for  people  and  property.  The  winner  in  head  to  head  testing. 
Proven  in  over  1000  installations,  worldwide.  LG  IrisAccess  makes 
world-class  security  surprisingly  affordable.  Visit  lgiris.com/report. 
And  see  the  difference  it  can  make  to  your  security. 


The  iris  identity  experts. 


' 

LG  IrisAccess  3000 


LG  IrisAccess  is  produced  under  a  technology  license  from  Iridian  Technologies,  Inc.  ©2003  LG  Electronics  USA 


The  Eyes  Have  It 


Machine  vision  promises  to  change  the  image  of  security  By  Fred  Hapgood 


#||  ACHINE  VISION 
is  a  common  name  for  software  that  can  look 
at  a  picture  or  video  and  list  the  objects  or 
behaviors  therein:  This  is  a  chair,  that  is  a 
person,  and  over  there  is  a  person  jumping 
over  a  fence.  There’s  hardly  a  simpler— or 
more  powerful— concept,  but  making  it  hap¬ 
pen  has  been  quite  another  story.  According 
to  John  W.  Bramblet,  president  of  Newton 
Security,  hundreds  of  companies  have  pro¬ 
duced  machine  vision  products  only  to  see 
them  slain  by  the  “blooming  buzzing  confu¬ 
sion”  of  the  real  world. 

However,  in  recent  years  a  synchronicity 
of  progress  in  cameras,  lighting  and  proces¬ 
sors— all  stirred  together  with  hundreds  of 


thousands  of  man-hours  of  development 
(much  of  it  funded  by  DARPA)— has  brought 
the  technology  to  the  edge  of  general  deploy¬ 
ment.  Some  futurists  think  that’s  very  big 
news.  The  only  thing  preventing  robotics 
from  having  the  revolutionary  effects  antic¬ 
ipated  for  so  long,  they  say,  has  been  their 
inability  to  see.  (Technologist  and  author 
Marshall  Brain  believes  that  \ision-enabled 
robots  will  disemploy  more  than  a  third  of 
the  U.S.  labor  force  during  the  next  20  years.) 

Whether  that  happens  or  not,  machine 
vision  is  almost  certainly  going  to  revolu¬ 
tionize  security.  The  technology  never  gets 
distracted,  forgetful  or  tired.  It  is  network- 
compatible,  scalable,  readily  upgradable, 


searchable  and  archivable.  Like  all  things 
digital,  its  price  is  on  a  one-way  trip  to  zero. 
Machine  vision  not  only  touches  nearly  every 
responsibility  of  the  security  mission  as  cur¬ 
rently  defined,  but  it  seems  likely  to  rewTite 
both  the  meaning  of  security  and  its  relation 
to  the  organization  as  a  wdiole. 

Comings  and  Goings 

Perhaps  the  machine  vision  application  nowT 
spreading  fastest  is  what  Lee  J.  Nelson,  prin¬ 
cipal  systems  consultant  for  Electro-Optical 
Technologies,  calls  intelligent  optical  char¬ 
acter  recognition,  or  IOCR.  It  differs  from 
unintelligent  OCR  in  that  the  former  recog¬ 
nizes  characters  printed  on  physical  objects— 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


December  2003  www.csoonline.com  53 


often  moving,  dirty  and  outdoors— as 
opposed  to  ones  on  a  printed  page. 

According  to  Donald  Brick,  president 
of  Hi-Tech  Solutions  USA,  a  machine 
vision  company,  IOCR  is  now  being  used 
at  many  ports  around  the  world  to  keep 
track  of  containers.  It  can  identify  which 
containers  have  arrived,  where  they’re 
stacked  and  if  they’ve  been  loaded  onto  a 
particular  ship.  The  most  important 
IOCR  application,  by  sheer  number  of 
installations,  is  probably  license  plate 
recognition  (LPR),  currently  used  for 
objectives  ranging  from  intrusion  detec¬ 
tion  to  toll  collection. 

In  the  context  of  the  parking  garage, 
the  primary  benefit  of  LPR  is  in  control¬ 
ling  the  lost  ticket  con.  Every  garage  sets 
an  amount  that  has  to  be  paid  by  people 
who  have  lost  their  tickets.  Anyone  run¬ 
ning  a  bill  higher  than  that  amount  has 
an  incentive  to  throw  his  ticket  away.  As 
time  goes  on,  that  incentive  becomes 
more  powerful.  According  to  Louis  Vin- 
ios,  president  of  JPA  Management,  a 
building  management  company,  the  con 
is  chronic  and  serious,  since  it  always 
involves  large  amounts  of  money.  And, 
while  you  could  send  an  employee 
around  to  do  manual  entry  of  license 
numbers,  the  task  bores  people  quickly 
(and  bored  humans  tend  to  work  slowly, 
expensively  and  inaccurately). 

Vinios  has  no  hard  figures,  but  he  sus¬ 
pects  that  the  Trakker  LPR  system  he 
installed  in  the  Radisson  Hotel  he  man¬ 
ages  in  Boston  choked  off  enough  bogus 
lost-ticket  claims  to  pay  for  itself  in  a 
year.  There  are  other  benefits  too.  Vinios 
says  he  is  sometimes  in  a  position  to  help 
law  enforcement  (two  of  the  9/11  hijack¬ 
ers  left  their  cars  in  an  LPR-equipped 
garage),  and  occasionally  customers  ask 
for  precise  records  of  their  comings  and 


goings  for  an  audit  trail.  Consultant  Nel¬ 
son  adds  that  building  security  managers 
often  have  reasons  independent  of  rev¬ 
enue  for  wanting  to  keep  track  of  who’s 
parking  in  their  buildings. 

Tricks  of  the  Trade 

As  important  as  IOCR  is,  the  big  payoff 
for  machine  vision  in  security  will  be  in 
object  and  behavior  recognition.  Con¬ 
sider  change  recognition,  for  example. 
You  might  want  to  compare  the  under¬ 
side  of  a  vehicle  or  a  container  using  a  ref¬ 
erence  image  to  look  for  differences. 
Changes  might  be  evidence  of  tamper¬ 
ing;  if  any  were  to  be  found,  the  vehicle  in 
question  might  be  flagged  for  special 
treatment,  such  as  X-ray  examination. 
Brick  of  Hi-Tech  Solutions  predicts  that 
in  the  near  future,  owners  of  vehicle 
fleets,  valet  services  and  parking  garages 
will  also  use  such  systems  to  recognize 
damage  (false  damage  claims  are  another 
risk  for  these  businesses). 

Machine  vision  is  far  more  flexible 
than  the  usual  tools  of  physical  security. 
“After  9/11,  we  installed  cameras  along 
the  Mexican  border,”  says  Bill  Anthony, 
spokesman  for  the  U.S.  Bureau  of  Cus¬ 
toms  and  Border  Protection.  Since  there 
were  far  too  many  cameras  for  the  num¬ 
ber  of  agents  available  to  monitor  them, 
the  bureau  tried  to  filter  the  camera  feeds 
with  motion  detection. 

That  didn’t  work.  “There  are  a  lot  of 
rabbits  out  there,”  Anthony  says.  “We  had 
to  check  each  alert,  and  by  the  end  of  the 
day  we  were  getting  tired.”  So  the  bureau 
bought  a  people-recognizing  system  built 
by  ObjectVideo.  It’s  a  program  that  looks 
for  patterns  of  movement  that  are  asso¬ 
ciated  with  those  made  by  humans,  like 
a  sphere  (a  head)  nodding  on  top  of  a 
cylinder  (a  torso).  According  to  Anthony, 


•  U.y,  - 


Machine  vision  is  far  more  flexible 
than  the  usual  tools  of  physical  security. 
Unlike  cameras,  people-recognizing 
systems  can  look  for  patterns  of 
movement  associated  with  humans. 


To  the  Rescue 

By  definition,  “first  responders”— firefighters,  police 
and  other  emergency  and  rescue  workers— often  work 
in  rotten  conditions.  One  of  first  responders’  most 
vexing  challenges,  which  they  share  with  military  per¬ 
sonnel  in  combat,  is  that  the  gear  they  carry  to  pro¬ 
tect  themselves  is  often  so  heavy  and  awkward  that  it 
makes  their  work  more  difficult.  A  recent  study  of 
emergency  response  workers  by  Rand  (funded  by  the 
National  Institute  for  Occupational  Safety  and  Health) 
highlighted  a  number  of  specific  problems  and  weak¬ 
nesses  in  protective  gear  and  communications  equip¬ 
ment.  Another  report  from  the  Council  on  Foreign 
Relations  in  June  2003,  “Emergency  Responders: 
Drastically  Underfunded,  Dangerously  Unprepared," 
addresses  the  budget  restrictions  that  contribute  to 
the  lack  of  appropriate  equipment  as  well. 

Disciplines  such  as  materials  science  and  indus¬ 
trial  design  are  coming  to  the  rescue,  so  to  speak. 

The  U.S.  military  is  working  on  a  project  called  Future 
Combat  Systems,  which  employs  industrial  design 
companies  such  as  Crye  Associates  to  create  a  com¬ 
bat  uniform  that  can  withstand  various  hazardous 
conditions  (dust,  extreme  temperatures  and  so  on) 
while  not  encumbering  soldiers.  (A  detailed  account 
of  this  project  is  written  up  in  the  September/October 
issue  of  design  magazine  I.D.)  MIT  also  recently  held 
its  first  Soldier  Design  Competition,  with  a  panel  of 
judges  that  included  senior  military  personnel  comb¬ 
ing  through  the  students’  ideas. 

The  MIT  event  was  sponsored  by  deep-pocketed 
private-sector  companies  including  DuPont  and  Dow 
Corning,  which  raises  the  point  that  products  and 
technologies  developed  for  the  military  have  a  long 
history  of  finding  their  way  into  lower-cost  versions 
for  commercial  and  even  consumer  applications  (see: 
Hummer).  In  the  area  of  communications  specifically, 
a  product  already  available  is  NetworkAnatomy’s 
CommanderPack,  an  11-pound  backpack  that 
includes  multiple  communications  modes  (satellite, 
cell  and  radio  frequency),  redundant  power  sources 
including  battery  and  solar,  a  tablet  PC  and  other 
goodies.  Doug  Linman,  the  company’s  CEO  and  princi¬ 
pal  designer,  served  in  the  military  and  provided  com¬ 
munications  consulting  following  the  collapse  of  the 
World  Trade  Center  towers.  “I  talked  with  fire  and 
police  people  who  had  survived,  the  chief  of  the 
American  Rescue  Team  International  and  others,  and 
they  all  talked  about  the  stuff  they  had  that  didn't 
work,  like  cell  phones,  because  the  cell  networks 
were  down,”  he  says.  Those  issues  ultimately  led  to 
the  development  of  the  CommanderPack.  While 


54  www.csoonline.com  December  2003 


The  Wizard  of  Au^r4“  ? 


Location  matters.  I _ 

Without  it,  you  don't  have  the  whole  story. 

Is  a  web  visitor  in  Kansas  or  not?  Are  they  using  their  true  identity  or  hiding  behind  a 
curtain  of  secrecy?  You  can  ask  for  location  verification,  but  you  need  to  know  the  truth. 

Quova's  geolocation  technology  determines  the  real-world  location  of  a  website 
visitor  -  all  the  way  down  to  their  city.  And  that  can  help  you  avoid  doing  business 
with  the  wrong  people. 


Quova  lets  you  authenticate  users,  manage  access,  configure  intrusion  detection,  block 
potentially  hazardous  IP  domains  and  deny  potentially  fraudulent  transactions.  Quova 
even  offers  network  connection  and  performance  data  with  pinpoint  accuracy. 

With  Quova's  fully  integrated  enterprise  solutions,  companies  have  unparalleled 
confidence  in  their  network  security  plans  and  fraud  prevention  activities. 


Get  the  whole  story.  Call  Quova  today: 

1-877-737-8682 


SM 


i KING  LOCATION  MAT 


www.quova.com 


the  upgrade,  which  was  rolled  out  over 
the  existing  infrastructure,  has  elimi¬ 
nated  the  false  positives.  Recently,  the 
bureau  expanded  its  contract  with  Ob- 
jectVideo  to  cover  all  points  of  entry, 
including  international  locations. 

Another  application  for  people  recog¬ 
nition  is  to  detect  piggybacking  and 
tailgating.  Piggybacking  refers  to  cases 
where  a  person  authorized  to  pass 
through  a  control  point  allows  another  to 
do  so,  perhaps  because  the  latter  is  wav¬ 
ing  a  pass  or  performing  a  routine  main¬ 
tenance  activity,  such  as  waxing  the  floor. 
Tailgating  is  when  unauthorized  people 
crowd  in  behind  an  authorized  access. 

Such  tricks  can  be  defeated  with  turn¬ 
stiles,  mantraps  and  guards,  but  those 
techniques  have  costs  and  limitations. 
“Mantraps  and  turnstiles  are  physically 
cumbersome.  They’re  hard  to  move 
traffic  through,  and  they  limit  your  access 
points,”  says  Jerry  Brady,  CTO  of  Guard- 
ent,  a  security  services  company.  “Ma¬ 
chine  vision  would  allow  people  to  pass 
through  any  number  of  entrances  and 
exits  while  gathering  information  on  the 
traffic  flow.  I’d  love  to  use  it.” 

He  certainly  could,  as  there  are  a  num¬ 
ber  of  piggybacking  recognition  systems 
on  the  market  today.  However,  before 
Brady  makes  a  major  investment,  he 
wants  to  see  a  system  that  offers  across- 
the-board  integration  with  enterprise  IT 
and  other  security  technologies,  from  bio¬ 
metrics  to  wearable  panic  pins. 

Raising  Flags 

The  digital  nature  of  machine  vision 
raises  integration  issues.  For  instance, 
up  to  now  it  has  been  impossible  to  hook 
more  than  a  very  small  number  of  video¬ 
camera  outputs  to  a  LAN,  since  a  small 
number  of  video  outputs  can  suck  the 
bandwidth  out  of  even  a  high-speed 
Ethernet.  Run  locally  (as  it  always  is), 
machine  vision  acts  like  a  compression 
algorithm,  putting  only  actionable  data— 
exception  reporting,  in  essence— with 
maybe  a  couple  of  illustrative  .jpegs  onto 
the  Net.  That  makes  it  possible  to  inte¬ 
grate  the  outputs  of  hundreds  of  cam¬ 
eras  around  the  enterprise. 

One  implication  is  that  CSOs  will  be 


NetworkAnatomy’s  CommanderPack 
(with  accessories) 


asked  to  define  a  new  class  of  security 
issue:  not  violations,  but  flags.  A  car 
recognition  system  might  count  how 
often  the  same  car  parks  in  remote  cor¬ 
ners  late  at  night,  at  least  raising  suspi¬ 
cion.  Or  it  could  count  how  often 
someone  drives  around  the  perimeter- 
two  times  around  might  only  mean 
they’re  is  lost;  four  times  is  more  inter¬ 
esting.  A  stranger  opening  one  door  inap¬ 
propriately  could  be  cut  some  slack,  but 
if  the  same  stranger  were  to  open,  say, 
three  doors  for  no  reason,  even  over  sev¬ 
eral  days  at  different  locations,  he  might 
be  questioned. 

Second,  an  enterprise  landscape  view, 
inside  and  out,  could  be  useful  to  other 
divisions  and  departments.  For  example, 
personnel  might  be  interested  to  learn 
that  certain  employees  are  habitually 
working  into  the  wee  hours  of  the  night; 
facilities  management  would  like  to  know 
when  some  important  piece  of  manufac¬ 
turing  equipment  produces  an  unusual 
vibration  that  presages  an  impending 
failure;  and  customer  support  might 
draw  useful  insights  from  the  fact  that 
customers  predictably  cluster  in  certain 
areas  of  a  store.  A  CSO  sitting  on  such  a 
powerful  tool  could  find  reason  to  organ¬ 
ize  an  enterprisewide  steering  committee 
to  help  accommodate  and  respond  to 
these  additional  interests  (and  perhaps 
pay  for  the  necessary  infrastructure). 
Similarly,  once  a  security  force  is  freed 
from  having  to  sit  and  watch  banks  of 
monitors,  it  might  be  able  to  help  meet 
other  important  security  needs. 

Until  now,  most  enterprises  have 
viewed  security  as  a  function  grafted  on 
by  necessity,  but  basically  not  a  part  of 
the  company  culture.  Security  has  been 
seen  as  generally  isolated  from  the  enter¬ 
prise  mission  and,  at  bottom,  not  shown 
much  appreciation.  Machine  vision  may 
change  that.  If  security  is  the  first  depart¬ 
ment  to  roll  out  this  very  powerful  and 
significant  technology  for  its  own  pur¬ 
poses,  it  might  well  find  itself  asked  to 
participate  when  the  enterprise  decides 
to  leverage  it  for  other  ends.  ■ 

Fred  Hapgood  is  a  freelance  writer  based  in  Boston. 
Send  feedback  to  machineshop  vcxo.com. 


NetworkAnatomy  developed  the  electronic  compo¬ 
nents,  Linman  says  he  turned  to  two  other  companies 
for  their  particular  areas  of  industrial  design  expert- 
ise-Stryker  by  Design  for  suspension  and  weight  dis¬ 
tribution  systems,  and  Watershed  for  waterproofing. 

While  the  CommanderPack  is  aimed  principally  at 
first  responders,  eventually  everyone  from  night 
watchmen  to  bodyguards  will  benefit  from  the  appli¬ 
cation  of  design  principles  to  create  more  portable 
and  intelligent  networked  gear.  -Derek  Slater 


Find  It  Online 

The  Council  on  Foreign  Relations  report 

www.cfr.org/pdf/Responders_TF.pdf 

Crye  Associates  www.cryeassociates.com 
ID  Magazine  www.idonline.com 
NetworkAnatomy  www.networkanatomy.com 

The  Rand  and  NIOSH  study 

www.rand.org/publications/MR/MR1646 

Stryker  by  Design  www.strykerbydesign.com 
Watershed  www.drybags.com 


56  www.csoonline.com  December  2003 


blishi 


vertisi 


BUVUKG  Sli'i/UlVliU 
tkLL  tlili  Vlly'lUt  (Kilii 

iMMUm  iu<D  busi 
kllsimiiLLlGliKCli 


STRATEGIES  FOR  MEASURING  AND  MAXIM! 
CUSTOMER  RELATIONSHIPS  d 


/  £  is 

MEASUI 

CEMENTS  Hi 

WL.  COMEG 

pGip^ 

Wl 

.~lL 

, 

'»T 

K  8 

LLsL! 

Sll 

ID 

mm&m 


UAN  helped  BMC  Software 
solve  our  application  integration 
puzzle  faster  and  at  a  40% 
cost  savings. 

-Jay  M.  Gardner,  CIO,  BMC  Software 


Now  that  Jay  Gardner  has  linked  his  customer-facing  applications  across  the  organization  using  Universal 
Application  Network,  BMC  Software  has  seen  dramatic  improvements  in  customer  service.  Information  that 
sales  reps  spent  hours  finding  across  multiple  front  and  back  office  systems  is  now  automatically  linked  to 
enable  faster  response  times.  And  as  more  processes  are  integrated  across  different  applications,  error  rates 
associated  with  manual  handoffs  are  greatly  reduced. 

Pioneered  by  Siebel  in  partnership  with  the  world's  leading  application  integration  vendors  and  systems 
integrators,  UAN  is  an  open  integration  solution  based  on  XML  and  Web  services.  It  integrates  legacy, 
homegrown  and  packaged  applications  faster  than  traditional  custom  approaches.  And  it  lowers  costs 
because  it  leverages  your  existing  IT  assets. 

UAN:  a  better  way  to  link  your  company,  a  better  way  to  serve  your  customers. 


UNIVERSAL 

APPLICATION 

NETWORK 


Business  integration  simplified. 

View  the  UAN  Interactive  Demo  at  www.siebel.com/uandemo  or  call  1-800-307-2181. 

©2003  Siebel  Systems,  Inc.  All  rights  reserved.  Siebel  and  the  Siebel  logo  are  trademarks  of  Siebel  Systems,  Inc.,  and  may  be  registered  in  certain  jurisdictions. 

Other  product  names,  designations  and  logos  may  be  the  trademarks  of  their  respective  owners.  The  image  of  the  Rubik's  Cube  is  used  by  permission  of  Seven  Towns  Ltd. 


CIO  ADVERTISING  SUPPLEMENT 


THE  R 0 1  OF  CRN  I  AGENDA 


CRM  STRATEGIES: 

THE  METRICS  &  MEASUREMENTS  HAVE  COME  OF  AGE 


IT  USED  TO  BE  THAT  A  GOOD 
CRM  strategy  was  a  lot  like  for¬ 
mer  Supreme  Court  Justice  Pot¬ 
ter  Stewart’s  1964  opinion  on 
obscenity:  hard  to  define,  but 
you  knew  one  if  you  saw  it.  Trou¬ 
ble  is,  just  a  few  short  years  ago  it 
was  tough  to  even  see  a  truly 
good  CRM  strategy. 

CRM  projects?  Yes,  tons  of  them. 
Everybody  in  the  late  ’90s  had  a  CRM 
initiative.  But  metrics,  results,  ROI? 
Not  so  much. 

Funny  what  an  economic  down¬ 
turn  will  do,  though.  As  IT  budgets 
shrank  and  projects  disappeared  in  the 
quagmire  of  the  2001  reces¬ 
sion,  the  CRM  imperative — 
the  mandate  to  get  closer  and 
more  responsive  to  cus¬ 
tomers — only  grew,  and  with  it 
emerged  a  whole  new  set  of 
metrics,  results  and,  yes,  good 
CRM  strategies. 

That’s  what  this  edition  of 
Strategic  Directions  is  all  about:  The 
ROI  of  CRM — Strategies  for  Measur¬ 
ing  and  Maximizing  Customer  Rela¬ 
tionships.  What  works  and  what  does¬ 
n’t?  What’s  IT’s  role  in  a  CRM 
strategy,  and  who  actually  “owns”  the 
initiative?  How  do  you  pick  a  CRM 
vendor?  Where  do  CRM  analytics  and 
business  intelligence  meet? 

These  are  some  of  the  questions 
tackled  this  issue,  with  answers  and  tes¬ 
timonials  coming  from  the  industry’s 
leading  CRM  vendors  and  their  cus¬ 
tomers.  Real  strategies,  real  results,  real 
advice. 

It  strikes  me  that  now  is  a  critical 


BY  TOM  FIELD 

time  for  CRM  initiatives.  The  new  year 
is  starting,  the  economy  is  turning 
around  and  enterprises  are  loosening 
their  purse  strings  for  new  projects.  It’s 
an  ideal  time  to  start  defining  or  refin¬ 
ing  a  CRM  strategy. 

Maybe  you’re  just  warming  up  for 
a  CRM  project;  maybe  you’ve  been 
burned  before.  Either  way,  this 
Strategic  Directions  has  valuable  infor¬ 
mation  to  help  ensure  that  not  only 
will  you  know  a  good  CRM  strategy 
when  you  see  it  —but  you’ll  also  be 
able  to  measure  and  maximize  it. 


in  general,  this  edition  in  particu¬ 
lar,  and  ideas  you’d  like  us  to  tack¬ 
le  in  future  editions.  Got  any 
CRM  best-practices  you’d  like  to 
share  with  other  IT/business  lead¬ 
ers?  Send  them  to  me;  I’ll  pass 
them  along  in  our  next  issue. 

Thanks  for  reading  Strategic 
Directions.  And  thanks  in  advance  for 
writing  in  with  your  feedback. 

Tom  Field 

Director  of  Content  Development 

CXO  Media  Custom  Publishing 

Tfield@cxo.com 


NOW  IS  A  CRITICAL  TIME  FOR 
CRM  INITIATIVES...  ITS  AN 
IDEAL  TIME  TO  START _ 


DEFINING  OR  REFINING 
A  CRM  STRATEGY, _ 


About  Strategic  Directions:  As 
you  know,  Strategic  Directions,  is  the 
ongoing  series  of  CIO  Magazine  sup¬ 
plements,  produced  by  CIO’s  Custom 
Publishing  group,  focusing  on  the  key 
business-critical  technologies  and  solu¬ 
tions  of  the  day.  Through  research, 
analysis,  case  studies  and  vendor  pro¬ 
files,  Strategic  Directions  provides  an 
executive-level  primer  to  the  hot  top¬ 
ics  on  the  minds  of  senior  IT  and  busi¬ 
ness  leaders.  Previous  editions  this  year 
have  focused  on  Outsourcing,  Securi¬ 
ty'  and  Storage. 

Please  let  us  know  what  you 
think  — about  Strategic  Directions 


STRATEGIC  DIRECTIONS 
2004 

For  a  preview  of  the 
upcoming  2004  Strategic 
Directions  series,  please 
see  page  11. 


STRATEGIC  DIRECTIONS  3 


CIO  ADVERTISING  SUPPLEMENT 


THE  R 0 1  OF  CRN  I  STRATEGIES 


CRM  STDATEGIES: 

MU  MKS.  «1AI  DOESN'T 

The  Top  Line  is  All  About  Customers,  But  the  Bottom 
Line  is  About  IT’s  Role  in  Obtaining  and  Retaining  Them 


UST  ASK  THE  FOLKS  ON 
Wall  Street:  boosting  the 
bottom  line  with  cost 
savings  and  product¬ 
ivity  improvements  isn’t 
enough  these  days — a 
necessary  but  not  sufficient 
condition  for  competitive 
success.  Now  it’s  time  to 
add  topline  revenues.  And 
the  top  line  is  all  about  customers. 

Customer  relationship  management 
(CRM)  strategies  and  the  technologies 
that  enable  them  make  it  possible  to  fig¬ 
ure  out  what  customers  want  and  the 


most  profitable  ways  to  give  it  to  them — 
important  in  an  age  when  acquiring  new 
customers  is  about  five  to  10  times  the 
cost  of  retaining  current  ones. 

CRM  strategies  are  based  on  the 
premise  that  quick,  accurate  knowledge 
about  customers  empowers  organiza¬ 
tions  to  increase  the  value  of  current 


customers,  keep  them  longer  and  more 
effectively  acquire  new  customers. 

Despite  widely  circulated  reports  of 
CRM  implementation  failures,  enter¬ 
prises  continue  to  invest  in  CRM  tech¬ 
nologies  and  solutions.  Why?  Because 
CRM-enabling  technologies  really  can 
help  enterprises  to: 

•Develop  a  single  view  of  customer 
data.  This  way,  regardless  of  touch- 
point,  every  customer  gets  consistent 
information;  duplication  and  redun¬ 
dancy  is  trimmed;  customers  aren’t 
required  to  repeatedly  feed  in  the  same 
information  about  themselves  to  get 


service,  which  keeps  them  happier  and 
improves  sales  and  customer  service 
staff  productivity. 

•  Provide  realtime  (or  near- realtime) 
information.  So  sales  and  customer  serv¬ 
ice  reps  as  well  as  customers  can  check 
product  availability,  order  status,  etc.; 
products  and  services  can  be  more  accu¬ 


rately  and  easily  configured  by  sales  staff. 

•  Identify  and  target  key  customer 
groups.  Detailed  knowledge  about 
each  customer  can  drive  efforts  to  tar¬ 
get  their  needs  and  spending  capabili¬ 
ties;  high-value  customers  can  be  iden¬ 
tified  and  given  priority. 

•  Track  and  measure  sales,  customer 
service,  and  marketing  performance. 
Leads  can  be  linked  to  the  marketing 
campaigns  that  spawned  them,  so  their 
effectiveness  can  be  tracked;  leads  can  be 
funneled  more  effectively  to  the  most 
appropriate  channel  sales  force;  products 
and  services  for  targeted  customer  groups 
can  be  developed  in  response  to  customer 
interest  and  demand. 

•  Best  practices  can  be  identified  and 
consistently  implemented.  The  most 
effective  sales,  service  and  marketing 
practices  can  be  uniformly  applied;  sales 
logs  can  be  automatically  updated; 
repetitive,  time-gobbling  tasks — such  as 
fulfilling  requests  for  product  litera¬ 
ture — can  be  automated. 

Evidence  abounds  that  CRM 
implementations  can  succeed — and 
when  they  do,  returns  on  CRM  invest¬ 
ment  can  be  spectacular.  Gartner,  Inc., 
the  Connecticut- based  research/analy¬ 
sis  firm,  believes  those  organizations 
that  devote  at  least  50  percent  of  their 
efforts  to  advanced  customer-centric 
marketing  processes  will  see  a  market- 


CRM  STRATEGIES  AND  THE _ 

TECHNOLOGIES  THAT  ENABLE 


TO 


THEM  MAKE  IT  POSSIBL 
FIGURE  OUT  WHAT  CUSTOMERS 


WANT  AND  THE  MOST  PROFITABLE 
WAYS  TO  GIVE  IT  TO  THEM. _ 


4 STIATEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


THE  R 0 1  OF  CRN  j  STRATEGIES 


WHO  OWNS  CRMP 

Experienced  IT  groups  have  learned  that  CRM  needs  a  business  owner  able  to 
drive  how  the  enterprise  should  develop  and  use  it.  CRM  projects  driven  by  IT 
alone  are  much  more  likely  to  fail. 

CIOs  need  partners  in  the  enterprise  to  make  CRM  successful.  Best  bet: 
cross-functional  teams  led  by  an  influential  skeptic  and  comprised  of  key 
stakeholders  and  those  with  appropriate  skills.  You’ll  need  commitment  from: 

THE  CFO.  Without  a  convincing  business  case,  the  CFO  won’t  fund  your  project. 

CUSTOMER  SERVICE  These  folks  know  more  about  your  organization’s  cus¬ 
tomers  than  anyone  else.  Listen  to  them  as  you  design  and  build  a  CRM  initiative. 

MARKETING  Often  tactical  and  product-oriented,  insights  about  customers 
from  marketing  people  can  improve  customer  handling  and  campaigns. 

Interdepartmental  collaboration  in  areas  where  customer  impact  can  be 
measured  can  help  CRM  managers  launch  cooperative  projects  that  deliver 
tangible  benefits. 

Formalizing  access  to  customer  data,  and  rationalizing  that  data  across  all 
enterprise  functions  and  departments,  enables  a  cross-functional  integra¬ 
tion  that  can  pay  off  big  time.  For  instance,  when  database  marketers  collab¬ 
orate  with  business  unit  managers,  both  will  better  appreciate  the  others’ 
needs  and  abilities. 

“IT  is  the  only  department  that  intersects  with  all  parts  of  a  company  from 
a  strategic  perspective,”  says  Michael  Koval,  vice  president  and  CIO  at  real 
estate  services  provider  Long  &  Foster.  “With  the  correct  players,  IT  can  suc¬ 
cessfully  implement  the  software.  We  can  attest  to  that.” 


ing  ROI  by  2007  that’s  30  percent 
greater  than  those  who  don’t. 

Consider  the  UK’s  Woolwich 
Independent  Financial  Advisory  Ser¬ 
vices  (WIFAS):  its  combined  use  of 
Oracle’s  Database,  Warehouse  Builder, 
Portal,  Application  Server  and  other 
products  has  generated  $23  million  in 
cost  savings  and  productivity  gains, 
resulting  in  a  260  percent  ROI.  Its 
commitment  to  CRM  has  helped 
WIFAS  grow  by  more  than  250  per¬ 
cent  in  four  years,  as  compared  to  a 
market  average  of  75  percent. 

Yet,  according  to  Gartner,  as  many 
as  85  percent  of  enterprises  don’t 
understand  how  CRM  creates  value  in 
their  customer  bases,  at  least  in  part 
because  their  CRM  implementations 
have  been  piecemeal  and  disjointed. 
What’s  missing  is  an  enterprisewide 
CRM  strategy  that  addresses  these  crit¬ 
ical  challenges: 

■  Supporting  (and  cost-justifying)  an 
ever-widening  range  of  marketing, 
sales  and  support  activities  while  still 
presenting  “one  friendly  face”  to  cus¬ 
tomers. 

■  Satisfying  increasingly  demanding 
customers — some  of  whom  are  much 
more  valuable  than  others. 

■  Integrating  information  from  a 
multiplicity  of  barely-coordinated 
data  silos. 

CREATING  A  CRM  BUSINESS 
STRATEGY 

Flow  does  your  enterprise  use  its  com¬ 
petencies  to  create  value  propositions 
for  its  customers?  Which  market  sectors 
offer  the  most  promise? 

A  CRM  strategy — which  lays  out 
how  that  promise  will  be  pursued — 
can’t  be  formed  without  answers  to 
these  questions.  And  the  strategy 
must  be  devised  before  plans  for 
implementing  the  capabilities  needed 
to  achieve  it  can  be  completed.  Steps 
along  the  way  include: 


KNOW  YOUR  OBJECTIVES.  The  idea  is  to 
keep  and  acquire  customers  with  the 
greatest  value  potential.  By  establishing 
objectives,  one  can  determine  specific, 
quantifiable  customer  acquisition, 
development  and  retention  targets  that 
meet  corporate  financial  goals. 

How  this  is  best  accomplished 
depends  on  the  land  of  organization  and 
its  priorities.  Of  course,  customer  reten¬ 
tion  is  important  to  just  about  all  organ¬ 
izations.  Business-to-business  enterpris¬ 
es  aiming  to  become  a  preferred  supplier 
often  give  high  priority  to  customer 
development.  Business-to-consumer 
enterprises  with  an  eye  to  boosting  mar¬ 
ket  share  concentrate  on  customer 
acquisition.  Government  and  nonprofit 
organizations  tend  to  care  most  about 
customer  satisfaction. 


KNOW  THYSELF.  Start  by  answering 
these  questions: 

■  What  are  your  enterprise’s  goals  and 
imperatives? 

■  What  should  be  achieved  with  a 
CRM  initiative? 

■  What  business  units  will  be  affected? 

■  What’s  die  condition  of  the  IT  infra¬ 
structure?  What  needs  to  be  upgraded, 
integrated? 

TRANSFORM  YOUR  CUSTOMER  BASE  INTO 
AN  ASSET.  Be  customer-centric.  Focus 
objectives  on  your  customer  lifecycle, 
which  then  mirror  your  product/serv¬ 
ice  lifecycle.  This  means: 

■  Analyze  your  customers.  Look  for 
ways  that  customer  value  is  lost  or 
unexploited.  When  you’ve  spotted 
where  action  is  required,  you  can  set 
metrics  and  monitor  them. 


STRATEGIC  DIRECTIONS  5 


CIO  ADVERTISING  SUPPLEMENT 


THE  HOI  OF  CRN  1  STRATEGIES 


■  Jibe  CRM  and  corporate  strategies. 

CRM  strategy  cannot  stand  alone;  it 
must  be  derived  from  corporate  goals 
and  imperatives,  and  it  must  be  linked 
to  other  operational  strategies. 

■  Keep  it  flexible.  In  a  challenging, 
competitive  environment  unpredictably 
impacted  by  discontinuous  change, 
CRM  strategy  needs  to  be  dynamic  and 
timely,  adapting  operational  efforts  and 
corporate  direction  to  market  condi¬ 
tions.  Thus,  successful  CRM  strategy 
evolves  in  an  iterative  process  that  takes 
advantage  of  customer  and  operational 
feedback  to  refine  objectives,  tactics  and 
processes. 

BUILD  A  REPEATABLE,  CONTINUOUSLY 
IMPROVING  PROCESS.  The  goal  is  to  effi¬ 
ciently  utilize  all  your  organization’s 
resources  to  present  one  friendly,  con¬ 
sistent  face  to  customers.  Customers 
should  get  the  same  information  about 


CRM  FOR  THE  ZERO-LATENCY,  REALTIME  ENTERPRISE 

The  ability  to  respond  to  events  and  conditions  in  realtime  or  near-realtime  can  provide  sub¬ 
stantial  competitive  advantage. 

Faster  response  means  business  decisions  are  based  on  up-to-the-minute  (realtime)  infor¬ 
mation.  Pulling  it  off  requires  integration  of  not  just  data  and  applications,  but  also  key  CRM, 
ERP  and  SCM  processes  so  that  decision  makers  have  an  accurate  view  of  the  organization’s 
activities  and  capabilities.  This  means: 

•  Comparing  actual  process  performance  to  key  performance  indicators  that  are  based  on 
organizational  objectives  and 

•  Balancing  resource  utilization  against  cost  and  revenue  goals. 

Such  performance  management  (also  called  business  activity  monitoring)  enables  decision 
makers  to  consistently  and  continuously  deploy  resources  and  align  processes  to  achieve 
strategic  goals. 

Singapore’s  OCBC  Bank  has  achieved  more  than  $2.3  million  in  savings  each  year  since 
implementing  Siebel  Finance  in  September  2000.  The  bank’s  successful  CRM  strategy  has 
reduced  insurance  application  processing  time  by  99  percent  (from  three  days  to  one  minute); 
cut  information  retrieval  time  by  83  percent  (from  12  minutes  to  two  minutes  per  customer); 
shortened  customer  referral  time  by  96  percent  (from  45  minutes  to  two  minutes);  accelerat¬ 
ed  feedback  escalation  time  by  80  percent  (from  five  minutes  to  one  minute);  and  reduced 
telesales  time  by  80  percent  (from  15  minutes  to  three  minutes  per  referral). 


COMPANY  PROFILE 


ffective  businesses  today  must  earn  their  customers’  trust. 
They  must  learn  from  every  interaction  to  deliver  a  superior 
customer  experience,  expanding  customer  loyalty  to  create  a 
lasting  competitive  advantage. 

Nortel  Networks  Customer 
Contact  and  Self-Service  Solutions 
help  businesses  deliver  a  definitive  customer 
experience  and  provide  exceptional  innovative  services  tailored  to  individual 
customer  needs  that  increase  retention  and  improve  profitability. 

VERSATILITY  AND  SEAMLESS  INTEGRATION 

Solution  versatility  allows  a  company  to  start  modestly  with  a  single  site  or 
as  ambitiously  as  a  global,  multimedia  implementation.  Either  way,  busi¬ 
nesses  are  assured  that  each  investment  made  in  Nortel  Networks  prod¬ 
ucts  or  services  will  integrate  seamlessly  today  and  in  the  future. 

Nortel  Networks  is  one  of  the  world’s  largest  providers  of  high-perform¬ 
ance  converged  networks  with  the  quality,  reliability,  scalability,  and  securi¬ 
ty  to  serve  as  a  new  foundation  for  global  communications,  including  cus¬ 
tomer  contact  and  self-service  applications  unified  with  CRM. 

Nortel  Networks  has  been  a  leader  in  the  customer  contact  business, 
both  agent-assisted  and  self-service,  for  30  years.  Today  customer  contact 
solutions  support  more  than  35,000  contact  centers,  three  million  contact 


center  agents,  and  60  million  calls  per  day  in  over  100  countries  worldwide. 
More  than  7,000  customers  automate  interactions  using  Nortel  Networks 
self-service  and  speech  applications.  In  2002,  Nortel  Networks  held  the 

number-one  call  center  market  share  for  agent 
shipments  in  North  America.  Nortel  Networks  is 
also  number  one  in  global  Interactive  Voice 
Response  (IVR)  and  speech  applications  shipments. 

ONE  NETWORK.  A  WORLD  OF  CHOICE 

These  solutions  position  a  business  for  transformation  into  a  proactive  enti¬ 
ty  that  anticipates  customer  needs  and  satisfies  them  with  time-sensitive, 
valued  information,  wherever  they  are.  This  visionary  approach— a  new 
model  of  engagement  with  customers  called  “One  Network.  A  World  of 
Choice”— includes  everything  being  done  today  in  contact  centers,  self- 
service,  CRM  and  more.  A  business  can  evolve  by  enhancing  existing  solu¬ 
tions  to  optimize  investment  while  receiving  revolutionary  benefits. 

Nortel  Networks’  versatile,  comprehensive  Customer  Contact  and  Self- 
Service  Solutions  provide  an  extraordinary  foundation  for  success. 


To  learn  more  about  how  a  company  can  gain  a  competitive 
advantage  using  these  solutions,  contact  a  local  Nortel  Networks 
office  or  please  visit  the  web  at  www.nortelnetworks.com. 


NSJRTEL 

NETWORKS 


6STRITEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


THE  ROI  OF  CRN  I  NORTEL 


NORTEL  NETWORKS  CRH  SUCCESS 


FOR  CADENCE  DESIGN  SYSTEMS 


“WE  HAD  A  GREAT  CRM  PRODUCT,  but  our  telephony  infra¬ 
structure  was  not  allowing  us  to  get  the  most  out  of  it,” 
says  Jack  Yothers,  senior  project  manager  at  electronic 
design  automation  (EDA)  industry  leader  Cadence 
Design  Systems,  Inc. 

Headquartered  in  San  Jose,  Calif.,  Cadence  is  the 
world’s  largest  supplier  of  electronic 
design  technologies,  methodology 
services  and  design  services  for  a 
variety  of  electronics-based  prod¬ 
ucts.  To  stay  competitive  in  the 
highly  dynamic  and  complex  EDA 
industry,  Cadence  recently  imple¬ 
mented  a  CRM  solution  from  Siebel 
Systems.  Although  the  solution 
offered  numerous  features  impor¬ 
tant  to  improving  customer  experi¬ 
ences,  Cadence’s  decision  to  rely  on 
its  older  communications  infrastruc¬ 
ture  was  getting  in  the  way. 

“We  were  experiencing  contin¬ 
ued  system  problems,  the  toolbar 
didn’t  function  like  it  was  supposed 
to  and  we  were  simply  unable  to 
take  advantage  of  many  features, 
including  IVR  enhancements,”  explains  Yothers. 

Not  surprisingly,  Cadence  began  phase  II  of  its 
CRM  implementation  looking  for  a  partner  to  help  with 
the  upgrading  of  its  telephony  and  call  center  infrastruc¬ 
tures  as  well  the  enhancement  of  its  self-service  IVR 
application. 

According  to  Yothers,  Cadence  evaluated  several 
vendors,  choosing  Nortel  Networks  based  on  best 
price/performance,  ability  to  provide  improved  Com¬ 
puter  Telephony  Integration  (CTI)  integration  with 
Siebel’s  CRM  software  and  willingness  to  act  in  part¬ 
nership  with  Cadence. 


that  would  take  pride  of  ownership  with  their  product  and 
stick  around  to  feel  our  pain  if  things  took  a  wrong  turn. 
Nortel  worked  with  us  from  the  very  beginning  until  long 
after  we  went  live  with  phase  II  — they  were  just  like  a 
member  of  the  IT  staff  on  this  project,”  he  explains. 

And  nowhere  was  the  partnership  mentality  more 
apparent  than  in  the  need  to  provide 
improved  CTI  with  Siebel’s  solution. 

“Not  only  did  Nortel  deliver  on 
the  integration — we  have  a  fully- 
enabled  CTI  toolbar  with  Siebel 
6.3 — they  actually  trained  our  in- 
house  developers  and  worked 
together  with  them  to  implement 
the  final  product,”  says  Yothers.  “We 
are  extremely  happy  with  how  this 
turned  out.  Because  our  own  devel¬ 
opers  were  intimately  involved,  we 
were  not  left  feeling  as  if  something 
we  didn’t  know  or  understand  had 
been  placed  between  the  application 
and  our  network.  Nortel  really  part¬ 
nered  with  us;  it’s  one  of  the  chief 
reasons  our  CRM  implementation 
has  been  such  a  success.” 

As  primary  provider  for  phase  II,  Nortel  Networks 
has  helped  Cadence  upgrade  its  call  center  with  skill- 
based  routing,  including  Web  Client  browser-based 
administration;  added  Network  Control  Center  (NCC) 
to  manage  call  traffic  across  the  virtual  network;  upgrad¬ 
ed  the  IVR  system  to  Nortel  Networks  VPS/is;  and 
installed  Integration  Package  for  Meridian  Link  (IPML) 
for  tighter  integration  between  the  call  center  and  IVR. 

“Nortel’s  performance  with  this  upgrade  gave  us  the 
confidence  to  continue  our  partnership  with  them  as  we 
expand  our  contact  center  operations  globally,”  says 
Yothers. 


fifi 


NOT  ONLY  DID 


NORTEL  DELIVER  ON 
THE  INTEGRATION  — 
WE  HAVE  A  FULLY- 

_ ENABLED  CTI 

_ TOOLBAR  WITH _ 

-THEY 


ACTUALLY  TRAINED 

_ OUR  IN-HOUSE _ 

DEVELOPERS  AND 
WORKED  TOGETHER 

_ WITH  THEM  TO _ 

_ IMPLEMENT  THE _ 

FINAL  PRODUCT.” 


-Jack  Yothers,  Cadence  Design  Systems,  Inc. 


PARTNERSHIP  KEY  TO  SUCCESS 

“We  did  not  want  a  ‘consultant’,  we  wanted  a  real  part¬ 
ner  with  this  upgrade,”  says  Yothers.  “We  needed  a  vendor 


For  more  information,  contact 
www.nortelnetworks.com 


NORTEL 

NETWORKS 


STRATEGIC  DIRECTIONS  7 


CIO  ADVERTISING  SUPPLEMENT 


THE  HGI  OF  CRN  I  STRATEGIES 


your  company  from  any  channel — from 
website  to  call  center  to  sales  force  to 
marketing  brochure. 

“With  the  creation  of  a  warm  hand- 
off  process,  opportunity  can  be  passed 
direcdy  to  die  correct  department,”  says 
Michael  Koval,  vice  president  and  CIO 
at  Long  &  Foster  Cos.,  a  real  estate  serv¬ 
ices  provider  with  more  than  10,000 
sales  associates.  “Based  on  customer 
demands  and  expectadon,  service  lines 
can  either  be  created  or  modified.  Basi¬ 
cally,  you  align  the  customer  demands  to 
your  product  offerings.” 

ACHIEVING  THIS  REQUIRES: 

■  Maintaining  the  quality  of  customer 
interactions  by  tracking  and  analyzing 
all  interactions  with  the  aim  of  refining 
and  improving  them  in  the  future; 

■  Acquiring  appropriate  knowledge 


about  customers  with  each  interaction; 
■  Integrating  customer  data  so  that  it’s 
as  complete  and  accurate  as  possible  and 
making  it  accessible  and  useable. 

Using  Oracle’s  E-Business  Suite  to 
update  its  ERP  system  and  add  CRM 
capabilities,  C-COR  dropped  days  sales 
outstanding  by  8  percent,  which  trans¬ 
lated  into  a  one-time  $3.7  million 
reduction  in  the  company’s  accounts 
receivable  balance.  The  firm  also  slashed 
engineering  change  order  process  time 
by  85  percent  and  cut  monthly  closing 
time  by  50  percent. 

IT’S  ROLE:  THE  IMPLEMENTERS 

“CRM  implementations  fail  because 
they’re  seen  as  only  an  IT  implemen¬ 
tations,”  says  Steve  Wright,  vice  pres¬ 
ident  of  CRM  deployment  at  IBM. 
“Without  changing  the  supporting 


processes  and  the  surrounding 
employee  behavior  and  culture,  driv¬ 
en  from  the  highest  executive  level, 
you  will  not  succeed.” 

IT  might  not  own  CRM,  but  it’s 
usually  responsible  for  the  care  and 
feeding  of  CRM  technologies  and 
solutions. 

Failed  CRM  projects  tend  to  lack 
customer- centric  strategy,  shun  organi¬ 
zational  change,  fail  to  benchmark  and 
don’t  keep  end-users  happy. 

Successful  CRM  efforts  share  these 
qualities: 

•  Customer-centric  strategies.  Cus¬ 
tomers  are  looking  for  added  value,  so 
figure  out  how  to  give  it  to  them. 
Using  PeopleSoft  CRM,  financial  serv¬ 
ices  consultant  Carreker  Corp.’s  ability 
to  identify  unmet  customer  needs  and 
then  cross-sell  and  up-sell  its  products 


wh  mum 


COMPANY  PROFILE 


re  you  looking  for  a  Customer  Relationship  Management 
(CRM)  solution  that  will  help: 

•  Optimize  your  marketing  dollars  across  all  communica¬ 
tion  channels? 

•  Enable  your  sales  representatives  to  drive  buying  deci¬ 
sions  and  increase  revenue? 

•  Ensure  your  support  and  serv- 


expand  globally  while  cutting  costs  and  improve  business  processes 


ice  organizations  are  providing  a  positive  cus¬ 
tomer  experience  with  every  interaction? 


DETERMINE  THE  REAL  VALUE  OF  EACH  OF  YOUR 
CUSTOMERS 

Today,  PeopleSoft’s  comprehensive,  award-winning  set  of  CRM  solutions  is 
helping  businesses  like  Pepsi  Americas,  Hewlett-Packard,  Lufthansa, 
Nextel,  Electrolux,  Toyota,  Time  Inc.,  NEC  and  DoCoMo  Systems  develop 
long-term,  profitable  customer  relationships. 


BEST-IN-CLASS  CRM  MODULES 

The  2003  InfoWorld  Reader’s  Choice  Award  for  ‘Best  CRM  Product’, 
PeopleSoft’s  CRM  solution  offers  speedy  implementation  (it’s  built  on 
PeopleSoft’s  Pure  Internet  Architecture™);  provides  support  for  smart 
business  processes  (embeds  real-time  analytics),  is  easy  to  use  (simplified 
navigation  and  user  interface  that  presents  information  in  context),  elimi¬ 
nates  costly  customization  (deep,  out-of-the-box  functionality)  and  inte¬ 
grates  easily  with  PeopleSoft  and  non-PeopleSoft  applications. 

These  solutions  help  companies  address  rising  customer  expectations, 


through  leading-edge  analytics.  For  example: 

•  PeopleSoft  Marketing  offers  personalized  dialogs,  advanced  customer 
profile  management  to  improve  audience  segmentation  and  real-time  ana¬ 
lytics,  including  “Smart  Views,”  best-of-breed  online  marketing,  robust 

event-triggers,  budget  and  task  workflow. 

•  PeopleSoft  Sales  module  offers  flexible  fore¬ 
casting  and  territory  management.  The  Advisor 
module  enables  real-time  evaluation  of  customer 
needs.  The  Enterprise  Pricer  supports  complex 
pricing  configuration.  Order  Capture  solutions  integrate  pricing,  customer 
and  order  information  into  a  single  product. 

•  PeopleSoft  Service  enables  organizations  to  create  and  run  a  successful, 
real-time  service  organization,  leverage  enterprise  knowledge  for  fast  and 
effective  service,  enable  a  multichannel  contact  center,  improve  agent  pro¬ 
ductivity  and  boost  revenue  by  capturing  cross-  and  up-sell  opportunities. 

What’s  more,  PeopleSoft  CRM  product  modules  can  be  combined  in  a 
number  of  ways  to  address  particular  business  challenges.  And,  in  addition 
to  a  complete  portfolio  of  marketing,  sales  and  service  solutions, 
PeopleSoft  also  offers  industry-specific  CRM  solutions  for  communica¬ 
tions,  energy,  government,  high  tech,  financial  services  and  insurance— as 
well  as  support  for  multiple  languages  and  currencies. 


■  T  'U  vUW  :  VJ 


For  more  information,  call  1-800-380-SOFT  (7638)  or  visit 
PeopleSoft  at  www.peoplesoft.com 


8STRATEGIC  DIRECTIONS 


Customers  are  an  investment. 

ftjlsj  '  tl,  4  ,f  f  *  J  §§§1  Js^ls  r1*  ,  \  i‘,  '  1  ]  ‘  l>_,  -Si  '  ~J'  '  ,  ^  .  •$  w 

Maximize  your  return. 

PeopleSoft  Customer  Relationship  Management  lets  you  capitalize  on  every  customer  interaction 
across  your  enterprise. 

Only  PeopleSoft  CRM  is  fast  to  implement,  easy  to  use,  and  delivers  smart  business  processes  for  managing 
your  customer  relationships.  It  integrates  real-time  information  across  your  organization  to  help  determine  the 
most  profitable  ways  to  manage  customers.  Simply,  PeopleSoft  CRM  turns  every  point  of  customer  contact 
into  a  profit  opportunity.  Learn  more  by  visiting  us  at  www.peoplesoft.com/realtime  or  call  1-888-773-8277 


PeopleSoft 


Customer  Relationship  Management 


CIO  ADVERTISING  SUPPLEMENT 

THE  R 0 1  OF  CRN  I  STRATEGIES 


and  services  will  result  in  an  estimated 
10  percent  revenue  growth  with  no 
additional  employees. 

•  Careful  planning  and  bench¬ 
marking.  You’ll  need  realistic,  meas¬ 
urable  metrics — e.g.,  productivity 
increases,  faster  sales  cycles — that  sig¬ 
nal  revenue  growth  and/or  cost 
reductions.  And  you’ll  need  to 
benchmark  so  you  can  make  before- 
and-after  comparisons. 

•  A  champion.  Sponsorship  from  the 
top  is  critical. 

•  Early  involvement  of  end-users 
and  designs  that  keep  them  happy. 

During  the  planning  phase,  do  more 
than  just  gather  project  require¬ 
ments — use  the  effort  as  an  opportu¬ 
nity  to  gather  project  support,  too. 
Anticipate  fear  of  change,  especially 


from  sales  staffs  who  want  to  preserve 
their  independence,  by  showing  end 
users  what  they’ll  gain — e.g.,  realtime 
access  to  customer  data,  easy  access  to 
accurate  product  inventories.  Make 
sure  the  CRM  user  interface  is  friend¬ 
ly  and  smoothly  navigable. 

•  Incremental  rollout.  One  approach 
is  to  define  a  small  number  of  small 
projects — each  needing  just  a  few 
months  to  implement — that  you  believe 
will  deliver  the  best  results. 

•  Willingness  to  make  organiza¬ 
tional  changes.  You  may  need  to 
redraw  functional  boundaries  and 
redesign  workflows.  For  many  organ¬ 
izations,  CRM  efforts  are  most  suc¬ 
cessful  when  they  involve  process 
change.  Carreker  Corp.  overhauled  its 
customer  support  call  center  with 


automated  workflow  and  improved 
processes  to  save  $200,000  per  year 
while  boosting  customer  satisfaction. 

“Traditional  internal  processes  tend 
to  be  silo-oriented,  driving  efficiency 
only  within  their  function,”  says  Peter 
Andino,  vice  president  of  global  sales 
and  technical  support  at  IBM.  “CRM 
doesn’t  work  in  silos.  Rather,  it  requires 
an  end-to-end  ‘horizontal’  view  of  the 
process  linkages.  When  the  hard  work 
of  process  re-engineering  is  not  done, 
your  CRM  system  is  going  to  be 
less  successful.” 

•  Training  for  those  whose  jobs  will 
change.  They’ll  need  more  than  just 
tech  training;  you’ll  need  to  explain  and 
justify  the  changes  you’re  imposing  on 
their  working  lives. 

•  Integration  of  data,  apps  and 
processes.  As  CXOs  seek  better  ways 
to  measure  and  assess  financial  and 
operation  performance  across  the 
enterprise,  CIOs  must  integrate — not 
just  data,  but  also  applications  and 
sometimes  even  business  processes. 
This  can  result  in  initiatives  that  link 
CRM  with  other  key  corporate  sys¬ 
tems,  such  as  enterprise  resource  plan¬ 
ning  (ERP),  enterprise  marketing 
management  (EMM),  supply  chain 
management  (SCM),  product  lifecycle 
management  (PLM)  and  service  life- 
cycle  management  (SLM). 

Canada  Post  Corp.,  Canada ’s  fifth 
largest  employer,  is  using  mySAP 
CRM  to  integrate  80  legacy  systems, 
increase  cross-selling  and  up-selling 
opportunities,  reduce  data  entry  and 
maintenance  costs,  deliver  superior 
customer  service  while  streamlining 
processes  and  increase  sales  force  effi¬ 
ciency.  The  company  expects  to  elimi¬ 
nate  26  percent  in  revenue  leakage  and 
projects  an  ROI  of  26  percent. 

“CRM,  by  its  nature,  calls  for  a 
companywide  focus,”  says  Andino. 
“Every  function  within  a  company 
needs  to  understand  its  role  in  creating 
customer  satisfaction.”  SD 


SELECTING  CRM  VENDORS:  SUITE  VS.  BEST-OF-BREED 

“Businesses  understand  much  better  now  what  information  technology  can  do  for  improv¬ 
ing  how  they  work  with  their  customers  and  partners,”  says  John  Wookey,  senior  vice  pres¬ 
ident,  applications  development,  at  Oracle  Corp.  “As  the  economy  rebounds,  more  and 
more  companies  will  return  CRM  to  the  top  of  their  shopping  lists  as  they  focus  on  har¬ 
nessing  customer  information,  wherever  it  may  lie  within  an  enterprise,  to  put  the  cus¬ 
tomer  at  the  center  of  their  businesses  and  maximize  the  value  of  their  networks  of  rela¬ 
tionships.” 

Whether  you  should  opt  for  a  CRM  suite  from  a  single  vendor  or  an  assortment  of  best- 
of-breed  applications  depends  on  the  complexity  of  your  implementation  as  well  as 
whether  you’ll  be  relying  on  systems  integrators  and/or  external  service  providers. 

Gevity  HR  has  implemented  several  Oracle  E-Business  Suite  components  with  impressive 
results:  27-percent  reduction  in  transaction  worktime,  a  doubling  of  payroll  staff  produc¬ 
tivity  in  18  months  and  a  6-percent  rise  in  client  retention. 

“There  are  40  to  50  different  types  of  solutions  that  fit  under  the  CRM  umbrella,”  says 
Laurie  McCabe,  vice  president  at  consultancy  Summit  Strategies.  "Some  vendors  cover  a 
lot  of  this  territory  in  a  suite  with  different  modules;  others  offer  very  specific  point  solu¬ 
tions.  There  are  trade-offs  in  either  approach,  but  make  sure  to  fully  understand  them  rel¬ 
ative  to  your  business’  own  unique  requirements.” 

Advises  Michael  Dunne,  vice  president  and  research  director  at  Gartner,  Inc.: 

•  Do  your  homework  and  follow  a  formal  evaluation  process. 

•  Remember:  you  are  not  just  buying  a  product,  but  also  relationships. 

•  Pay  attention  to  the  total  cost:  software  typically  represents  only  a  portion  of  your  total 
cost;  services  represent  the  greatest  risk  and  most  expensive  part  of  the  endeavor. 

•  In  this  uncertain  business  environment,  don’t  ignore  vendor  viability. 


10STRATE6IC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


THE  RDI  OF  CRH  [  OPERATIONS 

FRONT  OFFICE  AND  BACK: 

THE  OPERATIONAL  SIDE  OF  CRM 


ront-office  CRM  solutions 
focus  on  three  key  customer- 
facing  or  customer-oriented 
functions:  sales,  customer  serv¬ 
ice  and  marketing.  The  payoffs 
from  each  can  be  impressive. 

SALES  PAYOFFS 

When  sales  people  can  spend 
more  sales  time  with  customers,  the  top 
line  benefits: 

SALES  FORCE  AUTOMATION.  After 
implementing  Siebel  eSales  and  Siebel 
Finance,  Robeco  Bank  Belgium  saw  the 
number  of  customers  each  of  its  account 
managers  could  handle  jump  by  20. 

PERCENT.  Prior  to  its  2001  launch 
of  mySAP  CBM,  third-party  agents  for 
IPSOA,  a  leader  in  the  Italian  publishing 
market,  spent  approximately  35  percent 
of  their  available  selling  time  in  problem¬ 
solving  mode.  Today,  IPSOA  sales  agen¬ 
cies  conduct  an  average  of  1 .5  more  cus¬ 
tomer  visits  per  week,  and  agents’  selling 
time  has  increased  from  65  percent  to  75 
percent  of  overall  time. 

SALES  CONFIGURATION.  Thanks  to 
SiebePs  eConfigurator,  Asyst  Technolo¬ 
gies,  maker  of  semiconductor  automa¬ 
tion  systems,  has  become  50  percent 
more  accurate  in  its  materials  inventory 
forecasting,  and  in  one  sales  group  the 
average  order  configuration  time  has 
dropped  from  25  days  to  two  days. 

ORDER  MANAGEMENT.  As  part  of  an 
integrated  provisioning  process  based  on 
Siebel  and  TIBCO  solutions,  Oklahoma- 
based  WitTel  Communications  has 
reduced  order  entry  errors  by  25  percent, 
enabling  it  to  reassign  12  employees.  The 


company  estimates  that  it’s  saved 
450,000  person-hours,  and  reductions  in 
paper  processing  alone  save  $10,000  per 
month.  Customer-requested  due  dates 
are  now  achieved  90  percent  of  the  time, 
up  from  40  percent,  which  has  helped  to 
raise  customer  satisfaction  levels  from  56 
percent  to  89  percent. 

SALES  PORTALS.  After  implementing 
a  portal  using  Siebel  CRM,  AMP 
Financial  Services  cut  the  time  needed 
to  route  leads  from  nearly  two  weeks  to 
just  30  minutes. 


E-TAILING.  Digital  Wellbeing,  a  major  e- 
business  for  UK  pharmacy  giant  Boots, 
is  using  mySAP  CRM  to  enhance  the  e- 
tailing  experience  for  its  health  and 
beauty  products  customers.  The  com¬ 
pany  expects  to  derive  a  72-percent 
internal  rate  of  return  from  its  mySAP 
CRM  initiative. 

CUSTOMER  SERVICE  PAYOFFS 

mySAP  CRM  is  helping  Brother  Inter¬ 
national  reduce  product  returns  and 
anticipate  customer  needs.  The  leading 
manufacturer  of  fax,  printers  and  multi¬ 
function  products  projects  a  129-per¬ 


cent  ROI — and  calculates  that  the 
reduction  in  product  returns  will  save  it 
more  than  $1.6  million  annually. 

CALL  CENTERS.  Using  Nortel  Networks’ 
Symposium  Call  Center  has  enabled 
New  Zealand’s  APN  News  &  Media  to 
cut  call  handling  from  five  minutes  to  3.5 
minutes  and  to  reduce  time-on-hold  to 
one  minute  from  three-to-four  minutes. 
British  outsourcer  Vertex  has  reduced 
call  center  operational  costs  by  10-to-30 
percent  with  Symposium,  and  the  pro¬ 
ductivity  of  its  home-based  employees 


has  climbed  13-to-16  percent. 

Since  1999,  when  it  deployed 
Siebel’s  Automotive  Call  Center,  Mit¬ 
subishi  Motors  North  America  has  boost¬ 
ed  call  center  volume  by  75  percent,  low¬ 
ered  per-call  costs  by  38  percent  and 
reduced  its  call-abandon  rate  by  8  percent. 
After  using  Siebel  Call  Center  to  stream¬ 
line  dozens  of  business  processes,  Asyst 
Technologies  reports  22,000  hours  in 
productivity  savings — and  cost  reductions 
of  $1.7  million — in  its  call  center. 

The  UK  city  of  Hull  has  used  Ora¬ 
cle  CRM  technology  to  implement  a 
multichannel  customer  service  center 


tit 


SHOULD  HELP  AN  ENTERPRISE 
ENHANCE  PERFORMANCE  IN 
...  THAT  MAKE  DOING 


BUSINESS  CONVENIENT  AND 


99 


-Roxann  Swanson,  general  manager,  customer  contact  and  self-service  solutions,  Nortel  Networks. 


STRATEGIC  DIRECTIONS  11 


CIO  ADVERTISING  SUPPLEMENT 

THE  R 0 1  OF  CRN  I  OPERATIONS 


that  has  cut  lost  calls  from  14  percent  to 
one  percent,  raised  the  number  of  calls 
answered  from  57  percent  to  over  98 
percent,  and  saved  the  city  $190,000. 
SELF-SERVICE.  With  PeopleSoft  CRM, 
Carreker  Corp.  anticipates  savings  of 
$1.2  million  per  year  by  deploying  cus¬ 
tomer  self-service.  The  firm  has  reduced 
helpdesk  call  volume  by  90  percent; 
customer  support  headcount  is  down  by 
25  percent.  Ten  databases  have  been 
combined  into  one,  and  three  customer 
support  systems  have  been  consolidated 
for  a  savings  of  $450,000  per  year.  Car¬ 
reker  estimates  that  by  moving  just  10 
percent  of  its  customers  to  self-service, 
it  can  add  up  to  20  new  customers 
without  adding  staff. 

Taking  aim  at  its  heavy  email  vol¬ 
ume,  retailer  Eddie  Bauer  used  Kana  IQ 
to  add  self-service  capabilities  and  a  smart 
email  management  solution.  In  the  first 
month  of  deployment,  80  percent  of  cus¬ 
tomer  inquiries  were  handled  by  ‘Ask 
Eddie,’  Eddie  Bauer’s  self-service  appli¬ 
cation.  Today  all  email  inquiries  are 
answered  in  under  two  hours.  The  first 
company  of  any  kind  in  Israel  to  adopt  a 
comprehensive,  automated,  intelligent 
self-service  solution  into  its  call  centers, 
Bank  Leumi’s  successful  deployment  of 
Kana  IQ  has  resulted  in  training  cost  sav¬ 
ings  of  66  percent  as  well  as  a  1 7  percent 
boost  in  call  avoidance. 

FIELD  SERVICE  AUTOMATION  (FSA).  Stor 
age  networking  solutions  provider 
CNT’s  field  engineers  have  realized  an 
estimated  1,800  hours  of  productivity 
savings  after  deploying  Siebel  Field  Ser¬ 
vice  automation. 

MARKETING  PAYOFFS 

Aegis  Communications  Group  uses 
PeopleSoft  CRM  to  reduce  the  time  it 
takes  to  develop  telemarketing  scripts 
from  a  week  to  a  couple  of  days.  Result: 
marketing  programs  are  developed  and 
executed  50  percent  faster. 

Hewlett-Packard  Corp.  is  using 


Kana  Marketing  to  dynamically  select  the 
most  appropriate  channel  partner  to  fol¬ 
low  up  each  lead,  and  to  manage  and  fol¬ 
low  up  leads  in  real  time,  thus  increasing 
the  effectiveness  of  indirect  sales  channels 
and  priority-direct  sales.  Result:  direct 
sales  revenue  has  increased  by  250  per¬ 
cent  in  the  first  six  months  and  channel 
switching  is  down  by  50  percent. 

BRINGING  IT  TOGETHER 

“CRM-enabling  technologies  should 
help  an  enterprise  enhance  performance 
in  all  areas — sales,  marketing  and  cus¬ 
tomer  service — that  make  doing  busi¬ 
ness  convenient  and  effortless,”  says 
Roxann  Swanson,  general  manager,  cus- 


CCORDING  TO  AN  IDC 
study,  organizations  that  have 
successfully  implemented 
analytic  applications  have 
seen  returns  stretching  from 
17  percent  to  more  than 
2000  percent;  the  study 
found  a  median  return  on 
investment  (ROI)  of  1 12  percent. 

That’s  because  business  intelli¬ 
gence  tools  and  analytics  solutions 
help  them  achieve  insight  into  cus¬ 
tomer  behavior  and  values  and  use 
this  information  to  holistically  manage 
marketing  performance.  The  paybacks 
can  be  significant: 

In  2002,  GlaxoSmithKline  AG 
upgraded  its  database  and  business 


tomer  contact  and  self-service  solutions 
at  Nortel  Networks. 

“To  maximize  effectiveness,”  she 
adds,  “these  technologies  must  also 
embrace  the  cornerstone  of  customer 
interactions — contact  centers  and  self- 
service  applications — which  need  to  be 
integrated  seamlessly  with  face-to-face 
interactions  and  unified  with  CRM  and 
other  business  applications  to  create 
measurable  and  manageable  business 
operations.  Then  an  enterprise  is  able  to 
take  die  customer’s  point  of  view,  to  keep 
learning  about  individual  customers  and 
to  use  this  knowledge  to  creatively  dif¬ 
ferentiate  an  individual  offer  to  strength¬ 
en  customer  loyalty.”  SD 


intelligence  toolset,  opting  for  Ora¬ 
cle’s  Warehouse  Builder,  Sales  Ana¬ 
lyzer,  Reports  and  Portal.  Now  the 
pharmaceutical  company  can  collect 
business-critical  information  in  real 
time  and  compare  its  performance  to 
competitors’,  using  the  knowledge  to 
figure  which  products  are  most  prof¬ 
itable.  Result:  report  generation 
times  has  been  cut  from  four  hours 
to  seconds,  ETL  (extract-transform- 
and-load)  time  needed  to  clean  the 
data  has  shrunk  from  18  hours  to  30 
minutes,  administration  costs  have 
been  reduced  by  50  percent  and 
forecasting  time  is  expected  to  go 
down  70  percent. 

The  Bank  of  Montreal  uses  IBM’s 


GETTING  SMARTER 

ALL  THE  TIME: 

CRM  ANALYTICS  &  BUSINESS  INTELLIGENCE 


12STRATEGIC  DIRECTIONS 


The  Resource 
for  Information 
Executives 


2004  Strategic  Directions  Series 

Strategic  Directions  supplements  focus  on  key  business-critical  technologies  and  solutions  with  in-depth,  compre¬ 
hensive  coverage,  analysis  and  market  data.  Produced  by  CXO  Custom  Publishing,  and  distributed  full  run  in  CIO 
and  CSO  magazines,  each  issue  addresses  key  concerns  and  trends  with  tools,  tips  and  insight  from  industry  experts 
and  relevant  case  studies  from  the  field. 


Strategic  Directions 
Calendar  for  2004: 

Secure  Networks 
Issue  Date:  April  1 


The  Integration  Imperative 
Issue  Date:  June  1 


Business  Intelligence  IQ 
Issue  Date:  September  1 


ROI  of  Storage 
Issue  Date:  November  1 


For  information  on  CXO  Custom 
Publishing  Strategic  Directions 
Supplements,  contact  Mary 
Gregory,  Director  of  Custom 
Publishing  at  508.988.6765  or 
mgregory@cxo.com  or  John 
Danielowich,  Project  Manager 
at  508.988.6775  or 
jdanielowich@cxo.com. 


Secure  Networks:  How  to  Ensure  that  Your 
Business  is  Protected  from  the  Outside  In 

Since  9/11,  enterprises  have  done  a  good  job  reassessing  and  protecting  their 
internal  information  assets.  But  what  about  the  networks  that  connect  with 
external  partners,  customers  and  employees?  Who  is  monitoring  and  secur¬ 
ing  these  connections— and  ensuring  that  they  are  equally  protected  from 
external  threats?  This  supplement  tackles  the  security,  recovery  and  business 
continuity  issues  that  CIOs  face  as  they  strive  to  protect  their  critical  infor¬ 
mation  networks. 

The  Integration  Imperative:  Leveraging  Legacy 
Systems  to  Create  New  Value 
We  all  have  legacy  systems  running  key  business  operations  today.  But  how 
can  these  legacy  systems  be  integrated  in  new  ways,  using  new  technologies, 
to  drive  new  value  in  our  enterprises?  This  supplement  explores  key  integra¬ 
tion  issues— how  to  unite  disparate  systems,  how  to  anticipate  integration 
challenges— as  well  as  the  key  solutions  that  come  with  trying  to  get  the  most 
out  of  integrated  legacy  systems. 

Business  Intelligence  IQ:  A  User’s  Guide 

We've  all  come  to  understand  the  value  of  business  intelligence  (Bl)  and  the 
role  it  plays  in  ensuring  that  we  pay  attention  to  the  right  concerns  and  cus¬ 
tomers.  But  how  do  you  know  whether  you’ve  got  the  systems  in  place  to 
uncover  the  right  Bl?  And  how  do  you  know  you’re  taking  full  advantage  of  this 
information  to  make  smart,  informed  business  decisions?  This  supplement 
explores  how  to  measure  and  maximize  Bl— including  the  latest  tools  & 
methodologies. 

ROI  of  Storage:  Strategies  for  Success 

In  2003,  we  gave  you  New  Storage  Solutions— strategies  for  effective  data 
and  storage  management.  This  year,  we  aim  to  share  some  strategies  and 
solutions  to  ensure  that  you  maximize  the  dollars  you  spend  on  storage  man¬ 
agement,  including;  cost-effective  techniques  and  tools,  storage  management 
plans  and  calculating  the  ROI  from  storage  solutions. 


CIO  is  published  by  CXO  Media  Inc.  ]  An  IDG  Company  ]  492  Old  Connecticut  Path  ]  Framingham,  MA  01 701  ]  508.872.0080  ]  www.cxo.com 


CIO  ADVERTISING  SUPPLEMENT 


THE  R 0 1  OF  CRN  |  ANALYTICS  &  01 


DB2  and  Information  Warehouse 
software  to  analyze  the  data  it  gath¬ 
ers  on  several  million  customers  to 
help  decide  product  pricing,  channel 
migration,  resource  planning,  etc. 
The  bank  expects  to  save  more  than 
$270  million  in  four  years  and 
anticipates  a  shift  to  realtime  analysis 
in  a  couple  of  years. 

Using  BI  software  from  Brio, 
Toyota  Motor  Sales  USA  has  reduced 
its  vehicle  transport  time  from  36.5 
days  to  17.5  days,  saving  millions. 
And  significant  reductions  in  time 
needed  for  reporting  and  analysis — 
thanks  to  automated  exceptions- 
based  reporting — has  enabled  Toyota 
to  reassign  five  analysts  to  other  tasks. 
It’s  all  added  up  to  an  annual  ROI  of 
605  percent. 


“MOST 

COMPANIES 

_ MAKE  THE _ 

MISTAKE  BY _ 

THINKING  OF 
CRM  ANALYTICS 

_ AS  AN _ 

AFTERTHOUGHT.” 

-Joe  Davis,  vice  president  and  general  manager, 
PeopleSoft  CRM. 

ANALYTICS  EMBEDDED 

“Most  companies  make  the  mistake 
by  thinking  of  CRM  analytics  as  an 
afterthought,”  says  Joe  Davis,  vice 
president  and  general  manager,  Peo¬ 
pleSoft  CRM.  “Analytics  should  be 


embedded  into  the  application,  thus 
enabling  intelligent  processes  and 
decreasing  the  complexity  of  analyt¬ 
ic  systems.” 

To  get  started,  advises  Davis, 
focus  on: 

■  Understanding  the  specific  pro¬ 
cesses  that  your  organization  has 
automated,  and  use  analytics  to 
identify  the  areas  that  are  having 
the  most  impact  on  the  business. 

■  The  key  customer  metrics  that  drive 
your  organization’s  business. 

■  How  to  distribute  the  insights  to 
the  appropriate  users,  in  the  appro¬ 
priate  format,  within  their  business 
processes. 

“Organizations  that  understand 
their  users,  and  their  users’  needs,”  says 
Davis,  “will  ensure  analytic  success.” 


CASE  STUDY 


Underwriters  Laboratories  Inc.  (UL),  the  independent,  not- 
for-profit  safety  organization,  serves  more  than  66,000 
customers  in  99  countries.  To  stay  close  to  its  customers, 
Chicago-based  UL  operates  55  laboratories  and  test¬ 
ing  and  certification  facilities 
around  the  world.  But  until 
recently,  the  company  had  a  hard  time  coordinat¬ 
ing  customer  service  and  sales  activities  between 
the  different  branches. 

GAINING  A  COMPLETE  CUSTOMER  PICTURE 

All  that  changed  when  UL  began  implementing  Oracle  E-Business  Suite,  a 
tightly  integrated  set  of  enterprise  applications  that  seamlessly  connects 
UL  offices  worldwide.  Using  the  suite’s  advanced  CRM  applications,  UL  is 
boosting  operational  efficiency  and  taking  advantage  of  a  host  of  new  sales 
and  customer  service  opportunities. 

“We  needed  a  solution  that  enabled  us  to  capture  much  more  information 
about  each  customer  and  share  that  information  globally,”  says  Gary 
Schrempp,  UL’s  director  of  business  transformation. 

LOWER  TCO  WITH  BUILT-IN  INTEGRATION 

UL  especially  likes  the  fact  that  Oracle  E-Business  Suite  applications  are 
engineered  to  work  together  as  a  unit.  Oracle’s  built-in  integration  also  low¬ 


ers  UL’s  total  cost  of  ownership— a  big  plus.  Implementing  competing  solu¬ 
tions  would  have  required  UL  to  build  and  maintain  an  interface  between 
them— a  costly  and  time-consuming  add-on. 

NEW  PROCESSES  BRING  RELIEF 

UL  is  using  Oracle  Interaction  Center  (also  part  of 
Oracle  E-Business  Suite)  to  fundamentally  change 
its  customer  service  processes. 

“We  can  take  as  much  as  40  percent  of  the  workload  off  of  our  technical 
staff,”  says  Schrempp,  “and  focus  our  engineering  staff  on  true  engineer¬ 
ing  work,  which  will  get  us  better  responsiveness.  We  are  expecting  to  see 
improved  service  to  all  our  customers.” 

MORE  OPTIONS  FOR  SMALL  CUSTOMERS 

Small  customers  will  be  able  to  get  information,  order  any  needed 
information  products  and  even  apply  for  testing  services  via  UL’s  new 
online  storefront  built  using  Oracle  iStore.  Schrempp  believes  that  a 
convenient,  channel-like  Oracle  iStore  will  better  suit  many  customers’ 
needs  “and  suit  our  needs  better,  too,  in  terms  of  efficiency  and  clos¬ 
ing  the  sale.” 


For  more  information  about  Oracle  E-Business  Suite  and  other 
Oracle  CRM  applications,  please  visit  www.oracle.com. 


ORACLE 


14STRAIEGIC  DIRECTIONS 


CIO  ADVERTISING  SUPPLEMENT 


THE  R 0 1  OF  CRN  IMPLEMENTATION 


IBM’S  INTERNAL,  COMPANYWIDE 

CRM  TRANSFORMATION 


BM’s  CRM  initiative  is  one  of  the  largest  to  date. 
When  completed  in  2005,  IBM’s  hundreds  of  thou¬ 
sands  of  customers,  employees  and  partners  will 
have  a  single,  integrated  view  of  customer  informa¬ 
tion,  sharable  across  applications,  time  zones,  busi¬ 
ness  units,  etc. 

IBM  is  using  Siebel  Systems’  eBusiness  applica¬ 
tions  (more  than  80,000  licenses  have  been  pur¬ 
chased),  IBM’s  DB2  database,  WebSphere  e-busi¬ 
ness  infrastructure  software,  MQSeries  messaging 
software  and  a  combination  of  IBM  eServer  pSeries  sys¬ 
tems  coupled  with  an  enterprise  storage  server  (sometimes 
known  as  Shark). 

WHY  DO  IT? 

IBM’s  overall  goal,  says  Peter  Andino,  vice  president,  global 
sales  operations  and  technical  support,  is  to  ensure  that  each 
and  every  customer  interaction  is  handled  with  the  same 
degree  of  excellence  using  the  same  tools  and  data  across  all 
IBM  geographies  and  sales  channels.  This  will  improve  cus¬ 
tomer  satisfaction  and  encourage  collaboration  among 
employees  and  business  units.  The  company  will  also  reduce 
the  number  of  internally  supported  IT  systems  from  about 
800  in  1997  to  less  than  200  by  2006. 

WHERETO  BEGIN? 

According  to  Vince  Ostrosky,  vice  president,  CRM,  the  ini¬ 
tiative  started  with  a  companywide  look  at  how  its  organiza¬ 
tion  and  processes  supported  (or  didn’t  support)  its  cus¬ 
tomers.  The  point  was  to  evaluate  the  effectiveness  of  each 
process  by  asking:  “Is  the  way  we  do  this  now  the  right  way, 
the  best  way  to  support  the  customer?” 

WHAT’S  THE  PLAN? 

IBM  began  with  “a  careful,  measured”  initial  rollout  of 
Siebel’s  call  center  package  to  26  ibm.com  call  centers.  As 
of  October  2003,  the  system  has  been  deployed  in  47 
ibm.com  call  centers  in  32  countries.  Now  the  company 
is  tackling  marketing  and  field  sales  and  services;  by  the 
end  of  2003,  IBM  will  have  “CRM-ed”  over  40,000 
employees  in  47  countries. 


WHAT’S  BEEN  LEARNED  SO  FAR? 

Among  die  key  lessons  gleaned  so  tar,  say  Ostrosky  and  Andino: 

■  You  need  genuine  support  from  the  top.  And  make  sure 
you  have  the  support  of  the  executive  sales  team. 

■  You  must  be  able  to  say  no.  To  deliver  a  truly  enter¬ 
prisewide  CRM  solution,  CIOs  have  to  be  firm  and  just 
say  no  to  any  request  for  separate  CRM  solutions. 

■  CRM  is  not  just  an  exercise  for  IT.  Without  the  coop¬ 
eration  of  each  business  unit,  an  enterprisewide  imple¬ 
mentation  like  CRM  is  not  possible.  Data  integration  is  key. 

■  Data  is  dirtier  than  you  believe.  Yes,  says  IBM,  what 
you  feared  is  true:  your  data  is  in  much  worse  condi¬ 
tion  than  you  thought.  If  you  want  the  full  benefit  of 
your  investment  in  CRM,  start  thinking  about  how  to 
clean  it  up  now. 

■  Think  about  the  training.  You  cannot  pull  frontline  peo¬ 
ple  off  their  posts  and  stick  them  in  training  for  weeks  at  a 
time;  the  business  units  can’t  afford  to  lose  the  man-hours. 

WHAT  ABOUT  THE  BENEFITS? 

IBM  keeps  ROI  particulars  to  itself,  but  they’re  substantial 

and  focused  on: 

■  Improved  sales  productivity,  effectiveness  and  channel 
integration; 

■  Increased  visibility  to  market  dynamics  and  the  sunsetting 
of  hundreds  of  non- integrated  legacy  applications; 

■  Higher  customer  satisfaction  through  better  responsive¬ 
ness  and  ease  of  doing  business; 

■  Improved  sales  management  effectiveness,  reflected  in  tighter 
management  and  controls  and  proactive  sales  coaching; 

■  Better  forecast  accuracy  and  reporting; 

■  Enhanced  partnership  management. 


STRATEGIC  DIRECTIONS  15 


Ellislsland.org  Welcomes 

70  Million  Visitors  a  Month 

With  Oracle,  HP  and  Red  Hat 


Fill  111 

r  *  1  *  ■ 

ELLIS  ISLAND 

TM  1982, 1987  THE  STATUE  OF  LIBERTYELLIS  ISLAND  FOUNDATION,  INC. 


More  than  70  million  monthly  visitors  look  for  their  past 

with  the  IT  infrastructure  of  the  future: 
HP  Adaptive  Enterprise  Solutions, 
Red  Hat  Enterprise  Linux, 
and  Oracle  Database. 


oracle.com/hp 
or  call  1.800.633.0753 


Copyright  ©  2003,  Oracle  Corporation.  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates.  Other  names  may  be  trademarks  of  their  respective  owners. 


invent 


m  red  hat. 


Keynote  Speaker: 


Robert  Liscouski 

Assistant  Secretary  for  Infrastructure 
Protection  Acting  Director, 
National  Cyber  Security  Division 
Department  of  Homeland  Security 


INFORMATION 

SECURITY 

EXECUTIVE 

OF  THE  YEAR 

IN  /I  GEORGIA  A 

^Atu/ard 

Thursday  March  1 8th,  2004 

Information  Security  Executive  of  the  Year  in  Georgia™  honors  the  achievements  of 
today's  information  security  pioneers  and  recognizes  excellence  in  managing  enterprise- 
wide  network  and  internet  security  sytems.  Join  us  at  Atlanta's  historic  Fox  Theatre  on 
March  18,  2004,  when  we  celebrate  these  forward  thinking  individuals. 


Hosted  by 

r  a 

L.  /  \ 

Executive  alliance 

Nominate  your  Chief  Security  Officer,  or  executive  in  an  equivalent  position  for  the 
Information  Security  Executive  of  the  Year  in  Georgia  Award  2004.  Nomination  forms 
are  online  at  www.infosecaward.com.  Only  a  few  sponsorship  packages  remain. 
Call  404.982.8562  or  email  info@infosecaward.com  for  more  information. 


Gigabyte  Sponsors 


Association  Sponsors 


V 

TAG 

Technology  Associstion 
oi  Georgia 


geor^ia 
electronic 
commerce 
\  association 


*ISSA 


Byte  Sponsors 


Megabyte  Sponsors 


OCipherTrust* 

Q 

Enterprise  Email  Security 

Internet 

Lancope 

PRICCWATeRHOUstQoPeitS  Q 

Security 

STONESOFT 

0 

Systems* 

IRONPORT 

SYSTEMS 

cay 

UM.WimU.4 

secure,  protect.  Inspect. 

_ _ x 

Computer  Associates™ 

Special  Presentations  from: 


Thomas  E.  Noonan 
President  and  CEO 
Internet  Security  Systems,  Inc 


Richard  H.  Marshall 
Former  Deputy  Director 
Critical  Infrastructure 
Assurance  Office  (CIAO) 


Russ  Artzt 

Executive  Vice  President 
eTrust  Solutions 
Computer  Associates 


Media  Sponsors 

CffiWting 


Network  Magazine 

cso 

TechLINKS 


And  to  All, 
a  Good  Night 

The  coming  years  promise  an  increase  in  security  planning 
to  support  strategic  business  planning,  making  more  work 
for  security  people.  Will  it  be  a  CSO’s  dream  come  true  or 
one  big  nightmare?  By  Anonymous 


ting  more  attention.  That  said,  remote  access  capabilities 
such  as  virtual  private  networks  continue  to  keep  our  IT 
security  friends  tossing  and  turning. 

We’ve  all  watched  the  cyber  side  of  our  businesses  get 
increasingly  more  insidious.  “Keeping  a  strong  enough 
control  environment  on  every  device  is  very  hard  and 
very  costly,”  says  a  CISO  colleague  of  mine.  “As  a  result, 
many  people  are  coming  to  the  conclusion  that  we  need 
to  use  gateway  technology  internally  to  create  partitioned 
networks  within  the  enterprise’s  wide  area  network  to 
either  protect  the  contents  from  higher  risk  outside  the 
corporation  or  to  wall  off  high-risk  activities  from  the 
rest  of  the  enterprise  WAN,”  he  says.  “We’re  doing  better 
at  defending  against  the  worm  and  virus  attacks,  but  it’s 
costly.” 


HAT’S  KEEPING  YOU  AWAKE  at  night  these  days? 
Sharing  such  security  concerns  with  one  another  is  nothing  new.  And  we  mostly 
do  it  for  good  reasons:  It’s  one  part  learning,  one  part  giving  back,  and  one  part 
enlightened  self-interest.  The  idea  is  that  your  problems  today  will  likely  be  my 
problems  tomorrow,  especially  if  we’re  in  the  same  business  sector. 

So  I  think  I  keep  a  fairly  good  handle  on  what  is  in  front  of  us  as  CSOs,  but 
I’m  always  struck  by  the  insights  of  my  fellow  security  colleagues  when  I  ask 
them  about  their  concerns.  I  hear  a  lot  about  balance— or,  more  specif¬ 
ically,  imbalance.  I  hear  about  more  risk,  less  resources.  More  to  do, 
less  to  do  it  with.  More  regulations,  higher  expectations....  Well,  you 
get  the  picture. 

“The  risk  landscape  is  hugely  visible,  perhaps  the  highest 
it  has  been  in  my  25  years  in  the  business,”  says  one  secu¬ 
rity  exec.  Terrorism  now  dominates  the  public  mind-set 
and  creates  the  mistaken  impression  that  it  is  a  much 
greater  threat  than  anything  else.  We  need  to  strike  the 
right  balance  between  our  biggest  worries— people 
and  process  integrity,  workplace  violence,  fraud,  prod¬ 
uct  tampering,  counterfeiting— and  terrorism. 

Yet  there’s  an  interesting  dichotomy  to  the  con¬ 
tinuing  impact  of  9/11.  The  tragedy  in  September 
2001  caused  attention  to  security  risks  as  part  of  the 
critical  infrastructure  to  dramatically  increase.  But 
since  then  much  of  the  focus  on  safety  and  security 
has  waned,  and  fears  seem  to  be  inversely  propor¬ 
tional  to  the  length  of  time  since  the  last  incident. 

“All  this  DHS  color  crap  has  everyone  totally  turned 
off,”  is  how  another  friend  puts  it. 

I  can’t  imagine  a  company  that  doesn’t  have  security 
somewhere  on  its  radar  these  days,  if  for  no  other  rea¬ 
son  than  the  daily  threat  of  malicious  and  criminal 
attacks  on  our  networks.  Thanks  to  the  insecurity 
Microsoft  has  brought  to  our  IT  world,  most  companies 
have  had  to  get  good  at  virus  and  patch  manage¬ 
ment.  A  backhanded  plus,  I  guess. 

Another  plus  is  that  network  management  is  get- 


The  Cost  of  Doing  Business 

Meanwhile,  the  concern  for  cost  management  is  univer¬ 
sal— it  continues  to  put  pressure  on  all  but  the  most  imme¬ 
diate  risk-oriented  security  budgets.  The  struggle  seems 
more  and  more  like  a  permanent  fixture  rather  than  a 
wait-until-things-improve  business  focus.  Most  of  us 
believe  that  the  cost  pressures  are  here  to  stay.  Thus,  we 
need  to  recognize  that  security  is  part  of  the  cost  of  doing 
business  and  get  smarter  about  our  management  of 
scarce  resources. 

A  number  of  CSOs  also  believe  that  the  cur¬ 
rent  business  models  will  have  serious  conse¬ 
quences  for  corporate  security,  what  with  heavy 
emphasis  on  international  outsourcing 
and  global  business-to-business  rela¬ 
tionships.  Manufacturing  opportuni¬ 
ties  in  developing  countries,  for 
example,  raise  potential  risks  for 
employees,  travelers  and  trans¬ 
portation  of  products. 

“Do  you  realize 
how  many  coun¬ 
tries  we’re 


58  www.csoonline.com  December  2003 


ILLUSTRATION  BY  BRUCE  MACPHERSON 


Some  combinations  are  just  natural  winners.  Like  the  combination  of  your  security  management  experience  and  ISACA®’s 


new  information  security  certification,  CISM 


TM 


CISM  (Certified  Information  Security  Manager™)  is  a  groundbreaking  credential  specifically  designed  for  information  security  managers. 

It  is  intended  for  those  who  must  maintain  a  big-picture  outlook  by  directing,  crafting  and  overseeing  an  organization’s  information  security. 

This  new  credential  is  brought  to  you  by  Information  Systems  Audit  and  Control  Association®, 
the  organization  that  has  administered  the  world’s  most  prestigious  IS  audit  credential  for  25  years. 

A  grandfathering  opportunity,  available  through  31  December  2003,  allows  information  security  professionals 
with  the  necessary  experience  to  apply  for  certification  without  taking  the  CISM  exam. 


) 


REGISTRATION  DEAf  H  IM  S:  EARLY:  4  FEBRUARY  2004  FINAL:  31  MARCH  2004  XAM  DATE:  12  JUNE  2004 
Visit  the  ISACA  web  site  at  www.isaca.org/cism  and  find  out  how  to  be  a  part  of  a  winning  combination. 


>■!* 

•V  P  >• 


CSO  Undercover 


in  with  really  risk}'  processes  where  we  can’t 
perform  effective  due  diligence  on  people  and 
companies?”  says  one  CSO.  “Mainframe 
access?  It’s  absurd!” 

We  give  our  “partners”  the  keys  to  our 
most  sensitive  information  and  processes, 
and  what  do  we  get  from  the  proponents 
when  we  say,  “Wait.  Who  are  these  guys  and 
what  assurances  do  we  have  that  they  will 
abide  by  our  policies  and  safeguards?” 


Even  the  most  elementary  look  at  the  risk 
profile  in  the  countries  we  have  selected  to 
provide  these  critical  functions  will  point  to 
a  need  for  concern.  Product  diversion,  theft, 
employee  and  family  safety,  investment  and 
reputational  risk,  personal  integrity  and  a 
host  of  other  threats  not  typically  understood 
by  North  American  business  executives  con¬ 
front  this  cost-management  trend. 

A  CSO  friend  in  London  shares  this 
concern  but  emphasizes  the  impact  of  U.S. 
policy.  He  believes  the  risk  landscape  will 
get  much  worse  “if  the  postwar  management 
of  Afghanistan  and  Iraq  continue  on  their 
current,  inadequate  path  and  the  tense 
Arab-Israeli  issue  remains  ineffectively 
addressed— all  escalating  rather  than  reduc¬ 
ing  the  risk  of  terrorism,”  he  says.  “The 
prospects  of  a  more  effective  global  jihad 
increases,  as  does  the  likelihood  of  a  serious 
weakening  of  the  links  between  the  United 
States  and  its  natural  allies.” 

In  my  view,  many  of  our  non-North 
American  colleagues  have  a  much  more  real¬ 
istic  view  of  terrorism  and  business  risks 
associated  with  it.  They  have  lived  it  at  home 
and  in  various  countries  in  which  they  have 
served  in  both  public-  and  private-sector 
lives.  They  see  threats  to  employee  safety  and 
business  continuity  firsthand  almost  on  a 
daily  basis. 

Then,  not  too  long  ago,  SARS  joined  up 


with  our  anthrax  angst  and  the  continuing 
cyberhits  to  reaffirm  the  potential  impact  of 
terrorism  on  international  commerce  and  to 
put  yet  another  threat  benchmark  on  busi¬ 
ness  interruption. 

Getting  Closer  All  the  Time 

With  all  this  new  attention  on  security,  has 
access  to  the  senior  management  improved? 
“It  wasn’t  an  issue  to  begin  with,”  is  the  gen¬ 


eral  consensus.  “Established  CSOs  were 
already  in  front  of  senior  management. 
Access  didn’t  need  to  improve.” 

The  times,  however,  have  given  a  push  to 
business  units  that  often  have  laryngitis  when 
it  comes  to  cheerleading  team  security.  Sev¬ 
eral  CSOs  commented  that  better  visibility 
post-9/H  has  generated  more  requests  for 
service  from  disparate  customers  and  some 
new  ones.  “We’re  getting  closer  to  the  busi¬ 
ness  units  than  ever  before,  and  we  are  now 
moving  from  a  consultative  role  to  that  of  a 
business  adviser  on  product  launches,  M&A. 
activity  and  fraud  risk,”  says  one. 

Many  CSOs  support  the  view  that  security 
is  viewed  completely  differently.  “We’re  much 
more  respected  by  a  broader  population  than 
ever  before,”  says  another.  “My  department 
is  changing  dramatically.  Proactive  versus 
reactive,  strategic  versus  tactical,  influence 
versus  dictate,  big  picture  solutions  versus 
the  one-off  Band-Aid,  managing  expenses 
for  reduction  versus  spending  to  budget.  The 
expectation  from  the  top  is  that  we  will  be 
more  business-minded  and  worldly.” 

And  just  about  everyone  comments  on  a 
continuing  concern  for  the  lack  of  a  real 
public-private  connection.  There  are  glim¬ 
mers  here  and  there,  and  from  a  few  officials 
in  the  DHS  who  understand  the  problem.  I 
find  it  fascinating  that  they’re  the  few  who  are 
former  corporate  security  professionals. 


And,  finally,  the  regulatory  environment  is 
on  the  radar  these  days.  “Conflicting  regula¬ 
tions  will  add  to  the  cost  of  doing  business 
without  adding  anything  to  overall  national 
security,”  is  how  CSOs  articulate  their  frus¬ 
tration.  The  Patriot  Act  inquiries  roll  on  in 
financial  services.  The  chemical  industry  is 
facing  the  prospect  of  having  regulatory  over¬ 
sight  of  security  by  the  Environmental  Pro¬ 
tection  Agency.  Now,  I  seriously  doubt  that 
anyone  at  the  EPA  can  even  spell  security, 
but  it’s  a  way  for  them  to  fatten  their  already 
bloated  budgets. 

Where  the  Action  Is 

Trend-wise,  we’re  seeing  CSOs  being  given 
added  responsibilities  as  compliance  officers 
(but  without  adequate  resourcing,  they  add). 
And  previously  established  employee  hot 
lines  are  receiving  a  boost  from  internal 
advertising  and  audit  committee  monitor¬ 
ing.  One  U.K.-based  CSO  has  benefited  from 
such  an  environment.  “Both  the  board  and 
the  group  audit  committee  invite  me  now 
into  their  meetings  as  a  matter  of  course. 
And  my  department  has  become  integral  to 
the  creation  and  maintenance  of  the  corpo¬ 
rate  governance  manual,  and  that  has  helped 
improve  access  to  some  of  the  business  units,” 
he  says. 

The  good  news  is  the  affirmation  of  a  real 
connection  between  CSOs  and  their  senior 
management  and  the  visibility  of  that  sup¬ 
port  by  the  next  few  tiers  below.  These  are  the 
tough  sells,  and  getting  them  aboard  is  where 
the  real  action  is.  Like  one  of  our  interna¬ 
tional  CSO  colleagues,  you’d  likely  have  a 
good  weekend  after  hearing  your  CEO  sum 
up  his  perception  of  security  at  the  annual 
general  meeting:  “Security  added  real  value 
by  being  an  integral  part  of  the  business 
rather  than  working  on  its  fringes.” 

These  are  especially  challenging  times  for 
corporate  security.  For  those  of  you  who  have 
foolishly  asked  for  a  manageable  crisis  to 
awaken  management,  don’t  look  now.  You 
have  a  menu  of  crises  to  choose  from.  But  be 
careful  what  you  ask  for.  The  question  is 
whether  it’s  really  manageable  where  you 
already  are.  ■ 

This  column  is  written  anonymously  by  a  real  CSO.  E-mail 
reader  feedback  to  csoundercover  * cxo.com. 


Most  of  us  believe  that  the  cost 
pressures  are  here  to  stay.  Thus,  we  need  to 
recognize  that  security  is  part  of  the  cost  of 
doing  business  and  get  smarter  about  our 
management  of  scarce  resources. 


60  www.csoonline.com  December  2003 


VALUE  RETREAT 

AWAF  «C  !E  IY 


FEBRUARY  8 -10,  2004  •  TRUMP  INTERNATIONAL  SONESTA  BEACH  RESORT  •  MIAMI/SUNNY  ISLES,  FLORIDA 


Retreat  Moderator:  Peter  Weill 

Director,  Center  for  Information  Systems 
Research,  MIT  Sloan  School  of  Management 

The  Case  Studies 

Peter  Weill  once  again  joins  us  to  present 
new  findings  and  case  studies  from  work 
with  hundreds  of  Global  1000  companies, 
focusing  on  IT  needs  for  different  business 
models.  He  will  also  conduct  a  workshop  on 
IT  governance  with  insights  and  case  studies 
from  MIT  CISR’s  study  on  how  top  financial 
performers  govern  IT  and  the  five  key  deci¬ 
sions— IT  principles,  architecture,  infra¬ 
structure,  applications  needs  and 
investment. 


The  Peer  Networking 

From  informative  chats  at  breakfast  and 
lunch  roundtables,  to  the  intensely  interac¬ 
tive  case  study  workgroup  sessions,  to 
relaxed  conversations  during  the  daily  end- 
of-sessions  receptions— we  give  you  more 
opportunities  to  meet  and  learn  from  more 
of  your  peers. 

“Excellent  opportunity  to  network  with  those 
who  have  overcome  the  various  challenges. 
Lessons  learned  are  not  the  usual  academic 
fare,  but  the  subtleties  of  the  cultural  and 
technological  minefields." 

-EVELYN  LOCKETT  WOODS,  EVP/CIO, 
JOINT  COMMISSION  ON  ACCREDITATION  OF 
HEALTHCARE  ORGANIZATIONS 


The  Enterprise  Value 
Award  Winner  Presentations 

We  offer  breakout  sessions  with  this  year's 
winning  organizations.  It’s  your  chance  to 
talk  at  a  more  intimate  level,  discuss  their 
particularcase  in  more  detail  and  take  away 
lessons  you  can  apply  to  your  own  organiza¬ 
tion  back  home. 

•  Academic  Management  Services 

•  Ace  Hardware  Corporation 

•  Chicago  Police  Department 

•  Continental  Airlines 

•  Dell  Computer 

•  Guardian  Life  Insurance  Company  of 
America 

•  Korn/Ferry  International 


Call  800.355.0246  or  visit  us  at  www.cio.com/conferences 


•  Pfizer  Global  Research  &  Development 

•  Procter  &  Gamble  Company 

•  Worldspan  LP 


This  year's  Enterprise  Value 
Retreat  Awards  Ceremony  is 
proudly  underwritten  by 

<bmcsoftware 


Sponsored  by 


Presented  by 


Deloitte. 


DSAWIS  &  SupportSoft 


cigital 


TRUST  THE  NETWORK  THAT  ROWERS  WALL  STREET 

to  Empower  your  Business.  * 


The  Resource  for 
Information  Executives 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and 
Services 

CSO  Sales  Offices 

President  Walter  Manninen  •  508  935-4101 

Group  Publisher 

Gary  J.  Beach  •  508  935-4202 

Publisher  Bob  Bragdon  •  508  935-4443 

Executive  VP  Sales/Custom  Publishing 

Ellen  Romanow  •  508  935-4796 

East  Coast 

Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Eastern  Regional  Account  Executive 
Kim  Forrest  •  508  935-4068 
Regional  Sales  Director 
Kathy  Powers  •  201  634-2331 
Midwest 

Regional  Sales  Director 
Robert  E.  Sawdon  •  512  306-9801 
Senior  District  Sales  Manager 
Beth  DeVillez  •  847  441-3140 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 
Senior  Regional  Sales  Manager 
Jane  Evans  •  415  975-2680 
Senior  Regional  Sales  Manager 
Ai  Collins  •  415  975-2686 
Senior  Account  Executive 
Isaac  Ugay  •  949  475-5579 

List  Services 

List  Services  Director 
Kathryn  A.W.  Marston  •  508  935-4072 
List  Services  Account  Executive 
Stephanie  Roy  •  508  935-4151 

Online  Services 

VP/Online  Sales 
Lisa  Brown  •  508  935-4470 
Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development 
Tom  Field 
Project  Managers 
John  Danielowich,  Amy  Greenleaf 
Graphic  Designer  Chris  Brown 

Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator 

Lisa  Stevenson 


Executive  Programs 

EP  Senior  Vice  President  Jennifer  Richards 

Conference  Management  VP 

Cynthia  Mollus 

Marketing  Services  Director 

Shellie  Rapson  James 

Business  Development  VP  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Marketing  Manager  Glede  Kabongo 

Marketing  Services  Coordinator 

Andrea  Slobogan 

Event  Development  Specialist 

Sandra  J.  Hughey 

Operations  Coordinator  Michael  Barbato 
Event  Planning  Manager  AmyTurell 
Senior  Customer  Service  Coordinator 
Sarah  Yee 

Marketing 

Executive  VP/Marketing 
Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate 
Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 
Kari  Curto 

Marketing  Comm.  Associate  Sarah  Crowley 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints  (500  quantity  or  more), 
please  contact  Chad  Johnston  at 
RSiCopyright  at  651  582-3800  or  e-mail 
csoreprints@rsicopyright.com. 

For  further  sales  information,  visit 
www.csoonline.com/reprints/index.html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208,  508  872- 
0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old  Con¬ 
necticut  Path,  P.O.  Box  9208,  Framingham, 
MA  01701-9208.  Periodicals  Postage  Paid 
at  Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON 
N9A7C9. 

Permissions 

Copyright  2003  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham,  MA  01701.  Telephone  508 
935-4785.  E-mail  aburreil@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol:  %. 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 

To  all  others  the  one-year  basic  rate  is  $90 
for  the  United  States  and  Canada,  $115  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  substan¬ 
tial  mention.  This  index  is  provided  as  a  service 
to  readers.  The  publisher  does  not  assume  any 


liability  for  errors  or  omissions. 

Company  Index 

ABN  Amro  Holding  NV  . 28 

Alta  Associates  . 15,  28 

American  Electric  Power  Co.  Inc . 34 

AMR  Research  Inc . 15 

ArcSight  Inc . 46 

Boston  Scientific  Corp . 34 

Cable  &  Wireless  . 40 

California  State  Teachers' 

Retirement  System  . 34 

Chiron  Corp . 40 

Cisco  Systems  Inc . 46 

Coca-Cola  Co.,  The  . 15 

ConceptLabs  Inc . 46 

ConnecTerra  Inc . 15 

ConocoPhillips  . 34 

Counterpane  Internet  Security  Inc . 34,  46 

Crye  Associates  . 53 

Dow  Corning  Corp . 53 

E.l.  du  Pont  de  Nemours  and  Co . 53 

Electro-Optical  Technologies  Inc . 53 

Forrester  Research  Inc . 22 

Foundstone  Inc . 46 

Genzyme  Corp . 28 

Gillette  Co.,  The  . 15 

Guardent  Inc . 53 

Hi-Tech  Solutions  USA  . 53 

HowStuffWorks.com  . .53 

Identix  Inc . 15 

Internet  Security  Systems  Inc . 46 

JPA  Management  . , . 53 

Massachusetts  General  Hospital  . 34 

Network  Associates  Inc . 46 

NetworkAnatomy  LLC  . 53 

Newton  Security  Inc . 53 

Oracle  Corp . 15,  40 

Rand  . 53 

RSA  Security  Inc . 22 

Sana  Security  Inc . 46 

Shaklee  Corp . 40 

Sony  Electronics  Inc . 40 

Starbucks  Corp . 28 

State  Street  Corp . 34 

Stryker  by  Design  . 53 

Sun  Microsystems  Inc . 15 

Teros  Inc . 46 

Unisys  Corp . 46 

Viisage  Technology  Inc . 15 

Wal-Mart  Stores  Inc . 15 

Watershed  . 53 

W.L.  Gore  &  Associates  Inc . 34 

Xerox  Corp . 28 

Advertiser  Index 

Anixter  Inc . 11 

Authenex  Inc . 5 

Cisco  Systems  Inc . 8 

Computer  Associates  Inti.  Inc . C4 

CXO  Media  Inc . 25,  61,  63 

FaceTime  Communications  Inc . 63 

GuardedNet  . 26 

IBM  Corp . 51 

Information  Security  Executive  Awards  ...  .57 
Information  Systems  Audit 

and  Control  Assoc . 59 

Internet  Security  Systems  . 7 

(ISC)2  . 23 

Lancope  Inc . C3 

LG  Electronics  U.S.A., 

Iris  Technology  Division  . 52 

Lucent  Technologies  . 17 

Lumigent  Corp . 21 

nCircle  Network  Security  Inc . 63 

NetlQ  Corp . 19 

Network  Associates  . 2 

Quova  Inc . 55 

Sungard  Availability  Services  . 13 

Symantec  Corp . C2 

VeriSign  Inc . 14 


62  www.csoonline.com  December  2003 


buddytwo  «JClJS) 

FJe  Ed<  Insert  People 

buddy  one  h®v,  tore  V, he  information  about  the 
v  tfiDlflailtoLifiJ#*  proiect 

Notfce.  It's  against  compnnv  policy  to  transfer  confidential 

Inf  tarnation  using  I  buddyone  _1C[  x| 

Fite  Edt  Irsert  People 

buddvtiMi:  hey.  w  '  _ -  -  -  -  -  - 

buddy  one:  Oh,  Ifi  tiutfctyonK  hey.  here’s  the  information  about  the 
secuity  marogerr  conf Martial  zodiac  project 

this  protect  onlne.  Ndice  It's  against  company  policy  to  transfer  confidential 

information  using  eistant  messaging  -  this  message  has  been 
blocked 

budtytMB:  hey,  whafsihal  nolice? 

buddyona  Ob,  it'6  a  message  from  our  FaceTime  IM  syslemfoi 
^  **  seemty,  management  and  control  of  lU  i  forgot  we  camd  discuss 

this  pro  eel  onfne  . 


FaceTime- 

Communications 


FaceTime  Communications,  Inc. 

1 1 59  Triton  Drive 

Foster  City,  CA  94404 

Toll  Free  (888)  349-FACE  (3223) 

Phone  (650)  574-1600 

Fax  (650)  574-2700 

www.facetlme.oom 


Concerned  about  Instant  Messaging  (IM) 
and  Security? 

The  tremendous  popularity  of  IM  in  the  corporate  workplace  is 
causing  serious  security  challenges  for  many  IT  professionals.  Some 
organizations  have  taken  radical  steps  to  limit  or  ablish  the  use  of 
IM,  however  there  is  a  better  solution, The  FaceTime  Suite  of  IM 
security  and  management  solutions. 

Find  out  why  companies  such  as  yours  have  chosen  FaceTime  to 
help  them  with  their  instant  messaging  needs.  Receive  your  FREE 
white  paper  on  securing  and  managing  IM  in  your  company. 

Contact  us  today  at  I  -888-349-3223  or  visit  us  at  www.facetime.com. 


99%  of  all  reported  network  intrusions  "result  from 
exploitation  of  known  vulnerabilities  or  configuration 
errors,  for  which  countermeasures  were  available. " 

-  CERT* 

nCircle  IP360  is  the  only  solution  that 
enables  you  to: 

DISCOVER 

Identify  all  active  IP-enabled  devices  in 
your  network 

ASSESS 

Accurately  determine  the  risk  posture 
of  your  network  from  these  devices 

PROTECT 

Eliminate  risk  by  remediation  focused 
on  prioritized  vulnerabilities 

nCircle 

Proactive  Network  Security. 

www.ncircle.com 

888.464.2900 


Upcoming  Issues  Ad  Close  Deadlines 


12/4/03 


January 


1/8/04 


February 


The  CSO  Marketplace 

Brand  your  company  and  shorten  your  sales  cycle  by  advertising  In  the 
Marketplace  section  of  CSO  magazine!  Our  audience  of  25,000  senior 
security  executives  will  spend  an  average  of  $27  million  on  security 
products  and  services  in  2004. 

■  100%  of  CSO  subscribers  are  ■  CSO  subscribers  spend  an  ■  CSO  magazine  is 
involved  in  purchasing  average  of  79  minutes  the  publication  most  relied 

security  products/solutions  reading  each  issue  upon  for  security-related 

strategies  and  best  practices 

Don’t  miss  this  unique  opportunity  to  reach  a  quality,  involved  audience. 
For  more  information  on  advertising  in  the  CSO  Marketplace,  contact 
Kim  Forrest  at  508  935-4068  or  kforrest@cxo.com. 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


December  2003  www.csoonline.com  63 


5.  If  last  year’s  raljpber  of  new  ID  theft  .-V 
victims  stayed^Vnstant,  in  about  what 
year  would  rapTmerican  adults  have  been 
victimizecyWlD  theft? 

a.  2140  J02O84  c.  2035  d.  2010 


7.  What  was  the  estimated  cost  of  the 
blackout  of  2003? 

a.  $60M  ,b.  $600M  c.  $1B.  d.  $6B 


2003:  The  Quiz 


0- 
'• :  / 


For  Questions  1-5:  According  to  a 
Federal  Trade  Commission  report 


1.  What  percentage  of  Americans  learnecjl^ 
that  they  had  suffered  ID  theft  in  2003?} 

a.  0.01%  b.  1%  c.  4.6%  d.  25% 


2.  How  much  on  average  did  businesses 
lose  per  victim  due  to  ID  theft? 

a.  $4.80  b.  $48  c.  $480  d.  $4,800 


3.  How  much  on  average  did  victims  lose 
per  incident? 

a.  $5  b.  $50  c.  $500  d.  $5,000 


4.  How  long  did  it  take  the  average  victim  to 
resolve  an  ID  theft  case? 

a.  30  hours  b.  3  days 

c.  3  weeks  d.  3  months 


6.  WUpfi  of  the  following  incidents  did  not 
ha^mn  in  2003? 

mian  dressed  as  Osama  bin  Laden  in  a 
rpink  ball  gown  snuck  into  Prince  William’s 
birthday  party  in  Windsor  Castle. 

b.  A  couple  broke  into  a  nuclear  plant  in 
Saskatchewan  to  “join  the  Isotope  Club." 

c.  The  Social  Security  numbers  of  Mitt  Rom¬ 
ney,  governor  of  Massachusetts,  and  Tom 
Menino,  mayor  of  Boston,  were  acquired 
on  the  Internet  and  sold  for  $30  each  to 
demonstrate  how  easy  ID  theft  is. 

d.  A  sketch  by  Salvador  Dali  valued  at 
$250,000  was  stolen  from  Rikers  Island 
correctional  facility,  allegedly  by  prison 
officers  who  staged  a  fire  drill  to  filch  the 
original  and  replace  it  with  a  crude  copy. 


9.  The  electric  poitfejr  isejtfOr  consumed 
about  5.7  quadrilli^lttlt in'  l953/v/;  ‘ 
How  much  did  it  consume M,2003‘? 

a.  About  twice  as  much-  :  ’ 

b.  About  three  times  as  rfiuchf 

c.  About  five  times  as  much 

d.  About  seven  times  as  much 


10.  True  or  False:  In  media  reports  based 
on  testimony  to  Congress,  the  blackout  has 
been  blamed  on  the  electric  grid’s  age  and 
capacity. 


11.  What’s  the  2004  Homeland  Security 
budget  per  American  citizen? 

a.  $1  b.  $128  c.  $897  d.  $1,011 


12.  About  how  many  miles  of  2-inch-wide 
duct  tape  could  you  buy  with  the  2004 
Homeland  Security  budget? 

a.  560  b.  899,000  c.  2M  d.  256M 


8.  According  to  the  Toronto  Star,  what  is 
the  average  age  of  the  North  American 
power  grid? 

a.  50  to  60  years  b.  30  to  40  years 
c.  20  to  30  years  d.  Less  than  10  years 


13.  True  or  False:  A  Massachusetts  inmate 
escaped  from  prison  in  October  because  a 
motion-detection  alarm  failed. 


Bonus  Question 

What  is  the  significance  of  the  phrase 
“worms  torch  gutty  input"? 


How’d  You  Do? 

0-5  correct:  YOU  FELL  FOR  THE  ISOTOPE  CLUB. 
6-12  correct:  YOU  GUESSED. 

13-14  correct:  YOU  USED  A  CALCULATOR. 


■DNiindwoD  AHiaoMisnai.,  jo  wvhovnv  nv  si  ii  ^ousant)  snNoa 
‘(  ii  Q380N9I  oavno  v  aaxaoM  waviv  noiid3130-noiiow  3hi) 
3S"ivj  si  a  zi  'a  ii  '(aoaaa  nvwoh  onv  Nouvinoaaaa  no  oawvia 
A139HV3  s.il)  3S1VJ  01  '(018  NOmiaOVnf)  Z  Li  SVM  NOIldWnSNOO 
1002)  a  6  'V  8  'a  L  '8  '9  ‘0  'S  'V  \r  '3  t  'Q  Z  '3  I  :SH3MSNV 


ILLUSTRATION  BY  ZACHARY  PULLEN 


BRIDGING  THE  GAP 

BETWEEN  SECURITY  AND  NETWORK  OPERATIONS 


1S11 


'  Pi/jpuj/jr  jVii'j^orj/lguryd  j 


m 


m 


WATCH 

By  Lancope 


Security  Through  Network  Intelligence™ 

Discover  how  StealthWatch™  by  Lancope,  the  next-generation  network  security  solution,  delivers 
behavior-based  intrusion  detection,  policy  enforcement  and  insightful  network  intelligence.  With 
integrated  visibility  across  network  security,  traffic  characteristics  and  host-level  activity, 
StealthWatch  provides  unparalleled  network  protection  and  optimization.  Download  the  white 
paper  ‘How  StealthWatch  Bridges  the  Gap’  from  www.lancope.com/whitepaper/cso. 


SlealthWatch  and  Lancope  are  registered  trademarks  of  Lancope,  Inc. 
^  2003  Lancope,  Inc.  All  rights  reserved. 


Lancope 


The  right  management  should  do  more  than  just  protect. 

It  should  also  enable. 

eTrust™  Security  Management  Software 

With  eTrust  security  management  software,  your  information  isn't  just  safeguarded  from  internal  and  external  threats. 
We  provide  authorized  customers,  partners,  and  employees  with  appropriate  access  that  can  help  your  business  grow. 
In  addition  to  securing  data,  eTrust  also  provides  a  single  view  of  your  security  environment,  so  you  can  make  real-time 
decisions  based  on  comprehensive  information.  If  you're  looking  for  ways  to  minimize  risk  while  maximizing  your 
potential,  or  to  get  a  white  paper,  go  to  ca.com/security. 


Computer  Associates® 


©  2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved. 


